W3C home > Mailing lists > Public > www-tag@w3.org > October 2006

Re: [metadataInURI-31] New draft of metadata in URI finding includes section on malicious metadata

From: Elliotte Harold <elharo@metalab.unc.edu>
Date: Mon, 30 Oct 2006 08:53:41 -0500
Message-ID: <454603E5.7060306@metalab.unc.edu>
To: noah_mendelsohn@us.ibm.com
CC: www-tag@w3.org, Stuart Williams <skw@hp.com>

noah_mendelsohn@us.ibm.com wrote:
> I am pleased to announce the availability of a new draft of the finding: 
> "The use of Metadata in URIs" [1,2,3,].  The principle change is the 
> addition of a section [4] on malicious metadata, using an example of a 
> site serving a URI ending in ".jpeg" with a representation that is a 
> malicious executable.  

I've read it, and I just don't find the scenario plausible. What browser 
would run an arbitrary program merely because it's labeled as 
application/octet-stream? The real issues that are similar to this are:

1. The user downloads a mislabeled file such as evil.jpg.exe and 
launches it by mistake (but the user does this, not the browser).

2. The file is labeled as image/jpeg but exploits browser bugs to 
overflow the stack.

I don't think either of these is relevant to this finding. Hmm, maybe 
the first is.  Is it possible to describe a more realistic example in 
this section? If not perhaps it should go.



-- 
´╗┐Elliotte Rusty Harold  elharo@metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
Received on Monday, 30 October 2006 13:54:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:42 GMT