- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 16 Dec 2008 11:43:55 +0100
- To: Marcos Caceres <marcosscaceres@gmail.com>, Frederick Hirsch <frederick.hirsch@nokia.com>
- Cc: public-webapps <public-webapps@w3.org>
I suggest to remove the editorial note currently present in section 8 of the Editor's Draft. Instead, add the following to the Security Considerations section: > The signature scheme described in this document deals with the > content present inside a compressed widget package. This implies > that, in order to verify a widget signature, implementations need to > uncompress a data stream that can come from an arbitrary source. A > signature according to this specification does <em>not</em> limit > the attack surface of decompression and unpacking code used during > signature extraction and verification. > Care should be taken to avoid resource exhaustion attacks through > maliciously crafted Widget archives during signature verification. > Implementations that store the content of widget archives to the > file system during signature verification must not trust any path > components of file names present in the archive, to avoid > overwriting of arbitrary files during signature verification. (In other words, the zip archive isn't signed, and bad things might happen if signature verification is implemented naively.) -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 16 December 2008 10:44:06 UTC