On Sat, 10 Aug 2013 09:33:05 -0700, Noah Misch , wrote:
>Note that PostgreSQL 8.3 had xmlvalidate() for a time; commit
we found that, xmlvalidate() was for checking well formedness of an xml doc, not for validating against xml schema, we
inferredthis from Release note of 8.2
for reference, below is the content from release documentation of version 8.2
" In contrib/xml2/, rename xml_valid() to xml_is_well_formed() (Tom) xml_valid() will remain for backward
compatibility,but its behavior will change to do schema checking in a future release."
[http://www.postgresql.org/docs/8.2/static/release-8-2.html]
>3bf822c4d722d6245a65abdd2502a9d26ab990d5 removed it due to security problems.
>A new implementation (or revamp of the old) must avoid reintroducing those
>vulnerabilities. Similar considerations apply to XML Schema.
the main vulnerability in the xmlvalidate()
[http://www.postgresql.org/message-id/20080301024649.3CDCD754108@cvs.postgresql.org]was mainly because one of the
parameterwas file path.
But in our case, we are taking xml as a string, currently we didn't proposed file path as a input parameter to any of
ourfunction.
Thanks,
Pridhvi & Vikrantsingh
IIIT Bangalore
