[ILUG] is libxml(2) insecure?

[Laur Ivan]

On Friday 29 October 2004 14:25, Baruch Even wrote:
> On Fri, 2004-10-29 at 09:25, Laur Ivan wrote:
> > 1. Is this the generic case? The only place I remember seeing XML used is
> > the fontconfig (and more recently, D-BUS).
>
> The tradition UNIX configs are like that, there is a growing tendency
> towards XML config files which is not easy to understand as config files
> should also be readable/editable by human beings and xml is not a format
> for humans.
true, but my objective is a laptop tool, which would go in the "linux desktop" 
category of tools (aka the user shall be provided with a gui for editing the 
configuration and will not need to know about the config file).

>
> > 2. Besides the ability to include such linear files in scripts through ".
> > script", is there any other reason?
>
> They are easy to change with a program, they are easy to check with a
> program, updating the configs with a script is possible with grep and
> sed.
point taken :)

>
> I needed to do a similar thing with an XML config of fontconfig for a
> Debian package and the change I do is brittle, I'd actually need to
> write a program to do this correctly, this is against the unix tradition
> of using small tools that do one thing correct and combine them.
true, but does it apply to my case?

>
> > 3. Is the XML library a security risk? Would it be ok use it for
> > configuration storage/processing?
>
> It's not a security risk, but it might very well be a HCI risk.
if (HCI == human-computer interface) {
  Well, the human would never need to see the file itself :)
} else {
  what's HCI ? :)
}
>
> My experience with XML hasn't been a very good one, other formats are
> easier to parse and easier to generate.
I'm neutral at this point. I liked Python+XML and wrote c/XML as well. Both 
seemed OK. i find xpath very useful...

L