Re: [Crisp] xpc-00
Andrew Newton <andy@hxr.us> Fri, 20 May 2005 22:13 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DZFkj-0002tv-0G; Fri, 20 May 2005 18:13:57 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DZFkh-0002tq-NC for crisp@megatron.ietf.org; Fri, 20 May 2005 18:13:55 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA19835 for <crisp@ietf.org>; Fri, 20 May 2005 18:13:52 -0400 (EDT)
Received: from zak.ecotroph.net ([216.93.167.200]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DZG29-0002Zn-8X for crisp@ietf.org; Fri, 20 May 2005 18:31:57 -0400
Received: from [10.0.1.3] ([::ffff:64.83.8.178]) (AUTH: PLAIN anewton, SSL: TLSv1/SSLv3,128bits,RC4-SHA) by zak.ecotroph.net with esmtp; Fri, 20 May 2005 18:13:51 -0400 id 000FFB23.428E6120.00000D11
In-Reply-To: <487354f1050520135510819650@mail.gmail.com>
References: <200505021948.PAA25941@ietf.org> <487354f105051304317e721d2c@mail.gmail.com> <9e3522aa5fe0a1ec833faa465bfb43fd@hxr.us> <487354f1050519160738fe9cc1@mail.gmail.com> <5c3f85b9f172e2669a77d1ad04522093@hxr.us> <487354f1050520135510819650@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <78def96486af1f50c4756dca1b9c9931@hxr.us>
Content-Transfer-Encoding: 7bit
From: Andrew Newton <andy@hxr.us>
Subject: Re: [Crisp] xpc-00
Date: Fri, 20 May 2005 18:13:54 -0400
To: Robert Martin-Legene <rlegene@gmail.com>
X-Mailer: Apple Mail (2.619.2)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6cca30437e2d04f45110f2ff8dc1b1d5
Content-Transfer-Encoding: 7bit
Cc: CRISP WG <crisp@ietf.org>
X-BeenThere: crisp@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Cross Registry Information Service Protocol <crisp.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/crisp>, <mailto:crisp-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:crisp@ietf.org>
List-Help: <mailto:crisp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/crisp>, <mailto:crisp-request@ietf.org?subject=subscribe>
Sender: crisp-bounces@ietf.org
Errors-To: crisp-bounces@ietf.org
On May 20, 2005, at 4:55 PM, Robert Martin-Legene wrote: > On 20/05/05, Andrew Newton <andy@hxr.us> wrote: >> Well, I don't think this is so much a security concern but rather a >> detection of a bad client concern. > > Where's the limit between the two? > > Is security a remote root compromise? Or a simple denial of service? > Isn't it to secure your services to make sure they can handle > intentious bad client behaviour? (besides just malformed xml). Maybe I > am just too paranoid.. again. What I'm attempting to say is that if you follow the framing outlined by the protocol to catch poorly acting clients, you'll catch the cases where things like this happen instead of just buffering forever, overflowing stacks, etc... >> If I understand you correctly, you are worried that a client says "I >> have 95 octets to send" and then sends 100 more after the end of the >> block. > > Not after the block. I meant within the block. The usual > implementation of this kind would probably not start processing the > inner contents of the "xml entity" (or what is believed to be xml) > until the entire block is in (although one could do it word by word I > reckon - but that is uncommon). So I'll just keep sending you chunks > with the text "h4h4h4 y00 4r3 g3771|\|G pWn3d" without ever saying > that it's the last chunk. How will your implementation handle that? Well, now that you are making me strenuously think about this, there are four situations here... of which perhaps only three are covered: 1) Something in the way the chunk is described is wrong: well, that really only leaves the chunk descriptor which is one octet. I think the draft talks about when to send block errors for these situations. 2) Something in the data of the chunk is wrong: You read in the chunk descriptor and the chunk length. This is three discrete octets. The chunk length tells you how many octets to read next. Once you have read in those bytes, you hand the data to your XML parser. The complexity of this step depends on the capabilities of your XML parser, but there are at least 3 strategies: a) some XML parsers make this brain dead simple by offering a feed() function that just takes XML fragments (I believe Python, Perl, and libxml can do this), b) for parsers that are use to pulling the data from the source, a separate thread can be used for reading the socket and piping the data to the XML parser (this is the case for Java, fortunately NIO eliminates the potential for thread bloat here), and c) you just buffer it and hand the data to the parser after reading the last octet of the last chunk. No matter what, once the XML parser throws an exception, your server should send a data error (and perhaps close the session, depending on how nice you are). When using strategies a or b, you can send this data error the moment the error occurs. And if using strategies a or b and your server has already started responding with legitimate answers, you can still send a data error (by changing the chunk type). If your server is nice and keeps the connection open, then you have to continue reading the block if you are using a or b. But I don't see a point in being nice (lots of people can confirm this). 3) The chunk data contains XML with lots of ignorable whitespace: this isn't directly covered by the draft. Technically, the ignorable whitespace should not cause your XML parser to reject the data, but I can see not wanted to accept 2000 octets of tab characters. While a data error might cover that, we probably ought to define an error case that explicitly speaks to this. Such as, "you have sent me an XML instance that is 900k long so far, perhaps you ought to get a hold of yourself". 4) The block contains lots of short, but very straightforward search sets. Your server could just respond with IRIS <permissionDenied> or <limitExceeded> errors for every search set, or could use the new error code from #3. -andy _______________________________________________ Crisp mailing list Crisp@ietf.org https://www1.ietf.org/mailman/listinfo/crisp
- [Crisp] I-D ACTION:draft-ietf-crisp-iris-xpc-00.t… Internet-Drafts
- [Crisp] xpc-00 Robert Martin-Legene
- Re: [Crisp] xpc-00 Andrew Newton
- Re: [Crisp] xpc-00 Robert Martin-Legene
- Re: [Crisp] xpc-00 Andrew Newton
- Re: [Crisp] xpc-00 Robert Martin-Legene
- Re: [Crisp] xpc-00 Andrew Newton
- Re: [Crisp] xpc-00 Robert Martin-Legene