- From: Marcos Caceres <marcosscaceres@gmail.com>
- Date: Fri, 23 Nov 2007 15:07:08 +1000
- To: "Bjoern Hoehrmann" <derhoermi@gmx.net>
- Cc: "public-appformats@w3.org" <public-appformats@w3.org>
Received on Friday, 23 November 2007 05:07:27 UTC
> > I would expect, in any case, the specification to warn against giving > possibly untrusted content control over the names of files on the disk. > There are the obvious portability issues concerning lenth restrictions > and usable characters but also security issues with special characters, > special file names, special files and other things, as an implementer, > I would certainly try hard to avoid simply extracting an archive file > to disk. Exactly. However, this is not current practice with a least yahoo! widgets and Windows Vista Sidebar... both decompress widgets straight to the hard drive. Still need to do more testing to see what others do. I'll draft some warning text as you suggested. If you have any further comments on the text I sent yesterday regarding ASCII paths [1] I would really like to hear them. Kind regards, Marcos [1] http://lists.w3.org/Archives/Public/public-appformats/2007Nov/0032.html -- Marcos Caceres http://datadriven.com.au
Received on Friday, 23 November 2007 05:07:27 UTC