It’s time to take XML out back and shoot it
XML Anxiety
XML security problems are numerous, but you can take steps to limit your exposure – or you can use a different standard.
For this month’s column, I intended to write about XML security and how to avoid all the attacks and problems that can occur. I started making a list of issues both well known and not so well known. After listing 20 items, I realized I wouldn’t have enough space to cover everything, so I moved on to plan B: Instead of focusing on the problems, I’d look at the solutions. This worked reasonably well until I realized one small problem: Even if you use software like Python’s new defusedxml and defusedexpat a number of problems are still difficult to deal with.
A Brief History of XML
XML came from the W3C (World Wide Web Consortium), who also brought us SGML (from which XML comes), SOAP, HTML, you name it. To say that XML and its related family of standards is complicated is a gross understatement – with XML, XML Schema, RELAX NG, XPath, XSLT, XML Signatures, and XML Encryption to name a few. XML also has been extended into XHTML, RSS, Atom, and KML, to name a few more standards. About the only good news I have is that XML and most of its family of standards are NOT Turing complete (unlike, say, PostScript), but you can embed some pretty funky logic into XML files that can cause problems in the various XML parsers.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
There's a New Open Source Terminal App in Town
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.