As an example of the first one at least, consider the following XML
record
<?xml version="1.0"?>
<!DOCTYPE record [ <!ENTITY entries SYSTEM
"http://www.schmerg.com/entries.txt";> ] >
<record> &entries; </record>
That's been precluded by the static header of the record. It's not
possible to do this with MARID/SenderID.
So my SPF XML parser now needs to understand arbitrary file inclusions
including how to retrieve such files - how many of http, ftp, tftp,
smb etc protocols have I just included, and how many of these have
buffer overflow and similar exploits ?
Nope! It's a locked-down subset of XML.
If there was a definition of reasonable subsets of XML to drop all the
extended stuff, I'd sort of agree, but AFAIK if you're going to do XML
you have to the whole thing, and I don't like the idea of my hardened
minimal email firewall invoking expat and a whole HTTP library on each
incoming email (have you seen the initialisation time on sablotron and
expat?).
Not hardly. You only have to do the whole thing as a document language.
As a general interchange format, there's a lot of reasonable subsets of
XML. Many systems don't support external entities at all, considering
them obsolete.
Ari