- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 06 Mar 2011 12:13:11 +0100
- To: Barry Leiba <barryleiba@computer.org>
- CC: ietf@ietf.org, ietf-http-wg@w3.org
On 02.03.2011 15:11, Julian Reschke wrote: > ... > Proposed change for the three items in 4.3: > > o Many platforms do not use Internet Media Types ([RFC2046]) to hold > type information in the file system, but rely on filename > extensions instead. Trusting the server-provided file extension > could introduce a privilege escalation when the saved file is > later opened (consider ".exe"). Thus, recipients SHOULD ensure > that a file extension is used that is safe, optimally matching the > media type of the received payload. > > o Recipients SHOULD strip or replace character sequences that are > known to cause confusion both in user interfaces and in filenames, > such as control characters and leading and trailing whitespace. > > o Other aspects recipients need to be aware of are names that have a > special meaning in the file system or in shell commands, such as > "." and "..", "~", "|", and also device names. Recipients SHOULD > ignore or substitute names like these. > > (see > <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/278/i278.diff>). > ... ...applied with <http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1152>; I plan to submit a -07 draft soon after LC ends. Best regards, Julian
Received on Sunday, 6 March 2011 11:13:53 UTC