[rfc-i] Proposal for v3 to simplify most references

Nico Williams nico at cryptonector.com
Mon Feb 10 08:56:14 PST 2014


On Mon, Feb 10, 2014 at 10:52 AM, John R Levine <johnl at taugh.com> wrote:
>>>>    <library name="RFC-Editor"/>
>>>>    <library name="my-lib" ref="URI to my reference library">
>
> I'm not at all thrilled by a feature that lets random people who submit I-Ds
> put in active code that makes xml2rfc fetch random posssibly hostile URLs.
> Kaboom.  It doesn't have to make xml2rfc do anything particularly evil, just
> making it crash or hang (imagine a hostile URL that trickles the bytes out
> very slowly) would screw up a lot of automated scripts.

That's there now via XML entities.  Perhaps the submission system
should reject I-Ds whose XML references anything other than the
RFC-Editor's standard reference library.  A mode of xml2rfc will be
needed where it replaces external library references by in-lining
them.  In any case, there's no reason not to permit private reference
libraries though (particularly considering the private memo feature).

Nico
--


More information about the rfc-interest mailing list