[ILUG] is libxml(2) insecure?
Laur Ivan
laur.ivan at corvil.com
Fri Oct 29 09:52:43 IST 2004
On Friday 29 October 2004 09:37, Kenn Humborg wrote:
> > had a look in /etc/sysconfig to get a feel for the type of configuration
> > files used by the "network start/stop". ...and noticed that all files I
> > looked at are ".ini" style (aka "Key=Value"). Few questions arise:
>
> They're not ".INI"-style. Windows' .INI files are broken into
> sections delimited by square bracketed names. For example
>
> [section1]
> key=value
> key2=value
> [section2]
> key=value
> key2=value
Yop, my mistake :) that's what I meant: key=val, no groups
>
> > 1. Is this the generic case? The only place I remember seeing XML
> > used is the
> > fontconfig (and more recently, D-BUS).
>
> I'm not sure if the /etc/sysconfig thing is a redhat-ism. I first
> saw it there.
But besides that, imho most config files in /etc are linear (not xml).
>
> > 2. Besides the ability to include such linear files in scripts through ".
> > script", is there any other reason?
>
> It's trivial to parse these files in shell scripts, because there is
> absolutely no parsing required. Just feed them to the shell and
> environment variables get set.
I understand the reasoning for shell processing, but I was wondering if there
are some serious security arguments for not using XML as config files for
binaries...
Cheers,
L
More information about the ILUG
mailing list