W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

ACTION-208: Security considerations concerning compression

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 16 Dec 2008 11:43:55 +0100
Message-Id: <1F3A0CB9-98F2-4A24-9C9F-695A661C7FD5@w3.org>
To: Marcos Caceres <marcosscaceres@gmail.com>, Frederick Hirsch <frederick.hirsch@nokia.com>
Cc: public-webapps <public-webapps@w3.org>

I suggest to remove the editorial note currently present in section 8  
of the Editor's Draft.

Instead, add the following to the Security Considerations section:

> The signature scheme described in this document deals with the  
> content present inside a compressed widget package. This implies  
> that, in order to verify a widget signature, implementations need to  
> uncompress a data stream that can come from an arbitrary source.  A  
> signature according to this specification does <em>not</em> limit  
> the attack surface of decompression and unpacking code used during  
> signature extraction and verification.

> Care should be taken to avoid resource exhaustion attacks through  
> maliciously crafted Widget archives during signature verification.

> Implementations that store the content of widget archives to the  
> file system during signature verification must not trust any path  
> components of file names present in the archive, to avoid  
> overwriting of arbitrary files during signature verification.

(In other words, the zip archive isn't signed, and bad things might  
happen if signature verification is implemented naively.)

--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 16 December 2008 10:44:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT