Does it matter? (was Re: .rdf file extension security?) from Phil Archer on 2005-02-01 (www-rdf-interest@w3.org from February 2005)

From: Phil Archer <phil.archer@icra.org>
Date: Tue, 1 Feb 2005 09:31:56 -0000
To: <www-rdf-interest@w3.org>
Message-ID: <005b01c50841$1e4daa70$53276551@PHILXP>

Thanks for this Charles and to Christopher Schmidt.

Sorry for my slack terminology, Christopher, what I meant was that if I put 
a .rdf file on a Windows server and then browse to it (with any client), the 
sever gives a 404 response, even though the file is present.

Clearly there are a lot of servers in use that don't support the RDF MIME 
type by default. However, they do support .xml. My organisation's aim is to 
get a significant number of websites to include RDF descriptions of their 
content for PICS-like (child protection) reasons. See 
http://www.w3.org/2004/12/q/doc/rdf-contentlabels.html

Whilst it is easy for a professional to add a MIME type to a server, for 
hobby webmasters (and, let's be honest, a lot of "professional web 
designers") this is well beyond what can be expected..

So, the question is, does it make a practical difference if an RDF/XML 
instance is in a file with a .xml extension and a MIME type of 
application/xml, rather that nicely in a file with a .rdf extension and a 
MIME type of application.rdf+xml?

Phil.

----- Original Message ----- 
From: "Charles McCathieNevile" <charles@sidar.org>
To: "Phil Archer" <phil.archer@icra.org>; <www-rdf-interest@w3.org>
Sent: Tuesday, February 01, 2005 4:16 AM
Subject: Re: .rdf file extension security?

> On Mon, 31 Jan 2005 22:13:32 -0000, Phil Archer <phil.archer@icra.org> 
> wrote:
>
>> Is there a security issue (real or perceived) around .rdf? Or is it just 
>> that the good folk at Geocities/Yahoo/BT haven't added .rdf to the list 
>> of allowed file types?
>
> I suspect the latter case. If you have real RDF it is pretty difficult to 
> include a security risk (although of course any file with any ending on 
> its name can carry something unpleasant...)
>
>>  A Windows server I did manage to upload a .rdf file to then wouldn't 
>> serve it back under default settings.
>
> Hmmm. If you have to configure a windows server before it gets around to 
> handing back data you give it. Which seems a wierd design choice. 
> Otherwise, as already noted, it might just e served with a MIME type that 
> results in no software having a sensible indication of how to handle it.
>
> cheers
>
> -- 
> Charles McCathieNevile                 Fundacion Sidar
> charles@sidar.org                      http://www.sidar.org
>

Received on Tuesday, 1 February 2005 09:34:12 UTC