- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 02 Mar 2011 15:11:40 +0100
- To: Barry Leiba <barryleiba@computer.org>
- CC: ietf@ietf.org, ietf-http-wg@w3.org
On 01.03.2011 17:00, Barry Leiba wrote:
>> I agree that this needs tuning; but I'd rather not invent a new keyword for
>> that.
>
> Sensible.
>
>> The appendix D
>> (<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-content-disp-06.html#rfc.section.D>)
>> isn't meant to be normative; thus I believe leaving it the way it is ought
>> to be ok.
>
> OK.
>
>> With respect to
>> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-content-disp-06.html#rfc.section.4.3>,
>> I believe we really should say "SHOULD" in all the three last items:
>
> It all works for me. Thanks, and again, I'm sorry to pipe in late.
> ...
Proposed change for the three items in 4.3:
o Many platforms do not use Internet Media Types ([RFC2046]) to hold
type information in the file system, but rely on filename
extensions instead. Trusting the server-provided file extension
could introduce a privilege escalation when the saved file is
later opened (consider ".exe"). Thus, recipients SHOULD ensure
that a file extension is used that is safe, optimally matching the
media type of the received payload.
o Recipients SHOULD strip or replace character sequences that are
known to cause confusion both in user interfaces and in filenames,
such as control characters and leading and trailing whitespace.
o Other aspects recipients need to be aware of are names that have a
special meaning in the file system or in shell commands, such as
"." and "..", "~", "|", and also device names. Recipients SHOULD
ignore or substitute names like these.
(see
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/278/i278.diff>).
Best regards, Julian
Received on Wednesday, 2 March 2011 14:12:28 UTC