[ILUG] is libxml(2) insecure?
Baruch Even
baruch at ev-en.org
Fri Oct 29 14:25:21 IST 2004
On Fri, 2004-10-29 at 09:25, Laur Ivan wrote:
> 1. Is this the generic case? The only place I remember seeing XML used is the
> fontconfig (and more recently, D-BUS).
The tradition UNIX configs are like that, there is a growing tendency
towards XML config files which is not easy to understand as config files
should also be readable/editable by human beings and xml is not a format
for humans.
> 2. Besides the ability to include such linear files in scripts through ".
> script", is there any other reason?
They are easy to change with a program, they are easy to check with a
program, updating the configs with a script is possible with grep and
sed.
I needed to do a similar thing with an XML config of fontconfig for a
Debian package and the change I do is brittle, I'd actually need to
write a program to do this correctly, this is against the unix tradition
of using small tools that do one thing correct and combine them.
> 3. Is the XML library a security risk? Would it be ok use it for configuration
> storage/processing?
It's not a security risk, but it might very well be a HCI risk.
My experience with XML hasn't been a very good one, other formats are
easier to parse and easier to generate.
Baruch
More information about the ILUG
mailing list