It’s time to take XML out back and shoot it
XML Anxiety
XML security problems are numerous, but you can take steps to limit your exposure – or you can use a different standard.
For this month’s column, I intended to write about XML security and how to avoid all the attacks and problems that can occur. I started making a list of issues both well known and not so well known. After listing 20 items, I realized I wouldn’t have enough space to cover everything, so I moved on to plan B: Instead of focusing on the problems, I’d look at the solutions. This worked reasonably well until I realized one small problem: Even if you use software like Python’s new defusedxml and defusedexpat a number of problems are still difficult to deal with.
A Brief History of XML
XML came from the W3C (World Wide Web Consortium), who also brought us SGML (from which XML comes), SOAP, HTML, you name it. To say that XML and its related family of standards is complicated is a gross understatement – with XML, XML Schema, RELAX NG, XPath, XSLT, XML Signatures, and XML Encryption to name a few. XML also has been extended into XHTML, RSS, Atom, and KML, to name a few more standards. About the only good news I have is that XML and most of its family of standards are NOT Turing complete (unlike, say, PostScript), but you can embed some pretty funky logic into XML files that can cause problems in the various XML parsers.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
News
-
StarLabs has Released Another Linux Laptop
A new 14" Linux laptop has been released by the company that created the 11" Star Lite and can be purchased with your choice of Linux distribution.
-
Ubuntu 21.04 Adds Support for Active Directory and Other Major Changes
In a bid to help make Linux more viable for the business desktop, Canonical adds support for Active Directory and a few other notable changes.
-
GNOME 40 Available on openSUSE
The rolling release edition of openSUSE, Tumbleweed, now offers the latest version of the GNOME desktop.
-
Apple M1 Hardware Support to be Merged into Linux Kernel 5.13
Linux users will be able to install their favorite distribution on Apple’s M1-based hardware.
-
KDE Launches the Qt 5 Patch Collection
To support and maintain a stable Qt 5 for KDE Gears and Frameworks, KDE will maintain a patch collection.
-
Linux Creator Warns Next Kernel Could be Delayed
Linus Torvalds has issued concern about the size of kernel 5.12 and possible delays for its release.
-
System76 Updates its Pangolin Laptop
System76 has released a much-anticipated AMD version of their most popular laptop, the Pangolin.
-
New Debian-Based Distribution Arrives on the Market
TelOS is a new Debian-based Linux distribution with a customized, touch-screen-ready KDE Plasma 5 desktop.
-
System76 Releases New Thelio Desktop
One of the most ardent supporters of open source hardware has released a new desktop machine for home or office.
-
Mageia 8 Now Available with Linux 5.10 LTS
The latest release of Mageia includes improved graphics support for both AMD and NVIDIA GPUs.