W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: conformance languages (issue 278), was: Last Call: <draft-ietf-httpbis-content-disp-06.txt> (Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)) to Proposed Standard

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 02 Mar 2011 15:11:40 +0100
Message-ID: <4D6E501C.2020000@gmx.de>
To: Barry Leiba <barryleiba@computer.org>
CC: ietf@ietf.org, ietf-http-wg@w3.org
On 01.03.2011 17:00, Barry Leiba wrote:
>> I agree that this needs tuning; but I'd rather not invent a new keyword for
>> that.
>
> Sensible.
>
>> The appendix D
>> (<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-content-disp-06.html#rfc.section.D>)
>> isn't meant to be normative; thus I believe leaving it the way it is ought
>> to be ok.
>
> OK.
>
>> With respect to
>> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-content-disp-06.html#rfc.section.4.3>,
>> I believe we really should say "SHOULD" in all the three last items:
>
> It all works for me.  Thanks, and again, I'm sorry to pipe in late.
> ...

Proposed change for the three items in 4.3:

    o  Many platforms do not use Internet Media Types ([RFC2046]) to hold
       type information in the file system, but rely on filename
       extensions instead.  Trusting the server-provided file extension
       could introduce a privilege escalation when the saved file is
       later opened (consider ".exe").  Thus, recipients SHOULD ensure
       that a file extension is used that is safe, optimally matching the
       media type of the received payload.

    o  Recipients SHOULD strip or replace character sequences that are
       known to cause confusion both in user interfaces and in filenames,
       such as control characters and leading and trailing whitespace.

    o  Other aspects recipients need to be aware of are names that have a
       special meaning in the file system or in shell commands, such as
       "." and "..", "~", "|", and also device names.  Recipients SHOULD
       ignore or substitute names like these.

(see 
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/278/i278.diff>).

Best regards, Julian
Received on Wednesday, 2 March 2011 14:12:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:37 GMT