- From: Brett Zamir <notifications@github.com>
- Date: Thu, 22 Jun 2017 17:40:01 -0700
- To: w3c/IndexedDB <IndexedDB@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 23 June 2017 00:40:38 UTC
These might not translate to any security problems, but in our Node implementation (which relies on sqlite3 that does convert names to disk paths), we applied the following config for escaping file names for writing to disk (mostly to avoid name clashes): 1. Ensure an empty string database name is not supplied without modification as a file name 2. Requiring escaping of NFD expanding characters to avoid NFD normalization clashes (given NFD being performed on file names in MacOS). (Maybe not a feature for some!) 3. Escaping characters commonly still reserved on modern file systems (our JavaScript regex is `[\u0000-\u001F\u007F"*/:<>?\\|]`) 4. Requiring config not to throw if 255+ characters are used in a name given file name length limits. 5. Escape upper case ASCII characters which are not distinguished on some file systems (though use of alternate cases for other Unicode characters does not seem to be a problem from my limited testing, so we do not escape case for other Unicode characters). 6. Escape unmatched surrogates -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/IndexedDB/issues/207#issuecomment-310539321
Received on Friday, 23 June 2017 00:40:38 UTC