W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: conformance languages (issue 278), was: Last Call: <draft-ietf-httpbis-content-disp-06.txt> (Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)) to Proposed Standard

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 06 Mar 2011 12:13:11 +0100
Message-ID: <4D736C47.3010002@gmx.de>
To: Barry Leiba <barryleiba@computer.org>
CC: ietf@ietf.org, ietf-http-wg@w3.org
On 02.03.2011 15:11, Julian Reschke wrote:
> ...
> Proposed change for the three items in 4.3:
>
> o Many platforms do not use Internet Media Types ([RFC2046]) to hold
> type information in the file system, but rely on filename
> extensions instead. Trusting the server-provided file extension
> could introduce a privilege escalation when the saved file is
> later opened (consider ".exe"). Thus, recipients SHOULD ensure
> that a file extension is used that is safe, optimally matching the
> media type of the received payload.
>
> o Recipients SHOULD strip or replace character sequences that are
> known to cause confusion both in user interfaces and in filenames,
> such as control characters and leading and trailing whitespace.
>
> o Other aspects recipients need to be aware of are names that have a
> special meaning in the file system or in shell commands, such as
> "." and "..", "~", "|", and also device names. Recipients SHOULD
> ignore or substitute names like these.
>
> (see
> <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/278/i278.diff>).
> ...

...applied with 
<http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1152>; I plan to 
submit a -07 draft soon after LC ends.

Best regards, Julian
Received on Sunday, 6 March 2011 11:13:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:37 GMT