On "max. tag nesting depth" in the Kolab-Format spec
Florian v. Samson
florian.samson at bsi.bund.de
Fri Jul 15 11:22:48 CEST 2011
Am Freitag, 15. Juli 2011 um 10:37:33 schrieb Georg C. F. Greve:
> Just very briefly, I will come back to kolab-format@ with a bit more time
> in the next weeks, but I think some more work needs to be done on showing
> the rationale for a hard-coded nesting depth limit:
> On Friday 15 July 2011 10.12:49 Florian v. Samson wrote:
> > In short: Why not?
> "640K ought to be enough for anybody."
> There is an inherent problem with foreseeing absolute numbers and limits
> in computing, and changing this later if/when we hit that barrier will be
> very expensive for all clients.
While I do understand this aspect and have no issue with raising the limit
to e.g. 127, I do agree with Bernhard that there ought to be one.
I do believe that this specific case has its logical limits in nesting
depth: a XML-construct which may nest indefinitely would be very bad
design, IMO. So this case is much more specific and does have its logical
boundaries which *are* roughly assessable, in contrast to, e.g., the
resource consumption of software in 15 years in terms of "Main memory
space", "Mass storage space", "Computing power", "I/O load" etc.
> > You have not argued against any of the dangers I pointed out:
> The threat scenario so far seems based on a malicious user that
> deliberately tries to destroy data.
... or just let the clients of many other Kolab-users go awry (DOS).
And those which stumble would do so until the forged Kolab-object is deleted
on the server.
> This is a scenario that is almost
> impossible to protect against in the end, and nesting bombs are a lot
> more complex as an attack than currently existing attack vectors which we
> realistically cannot prevent.
Really, I cannot think of anything much simpler than to forge and upload a
Kolab-object to a shared IMAP-folder on a Kolab-server.
Can you please provide two or three examples of the "a lot simpler currently
existing attack vectors which we realistically cannot prevent."?
More information about the format