[Last-Call] Secdir last call review of draft-ietf-httpapi-yaml-mediatypes-04

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Shawn Emery
Review result: Has Nits

This informational draft specifies an IANA registry for the previously
unpublished YAML media type and structured syntax suffix.  YAML is a data
serialization format used for combining one or more documents into one file or
network resource.

The security considerations section refers to section 4.6 of RFC 6838 and
possible exploits regarding arbitrary code execution from YAML tags, DoS
through infinite or high recursion, and DoS through the partial processing of
YAML streams.  I do agree with each of the mitigations prescribed for the
aforementioned exploits, but it does seem counterintuitive to me to validate
all the documents in the stream before processing.  Does this defeat the
purpose of streaming?

General Comments:

The FAQ section helped me to understand why some of these design decisions were
made, thank you.

Editorial Comments:

s/Security considerations: See Section 2.1/Security considerations: See Section
4/ s/impact on the/impact the/ s/serialize it JSON/serialize it in JSON/
s/details: this/details, which/


-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux