- From: Elliotte Harold <elharo@metalab.unc.edu>
- Date: Mon, 30 Oct 2006 08:53:41 -0500
- To: noah_mendelsohn@us.ibm.com
- CC: www-tag@w3.org, Stuart Williams <skw@hp.com>
noah_mendelsohn@us.ibm.com wrote: > I am pleased to announce the availability of a new draft of the finding: > "The use of Metadata in URIs" [1,2,3,]. The principle change is the > addition of a section [4] on malicious metadata, using an example of a > site serving a URI ending in ".jpeg" with a representation that is a > malicious executable. I've read it, and I just don't find the scenario plausible. What browser would run an arbitrary program merely because it's labeled as application/octet-stream? The real issues that are similar to this are: 1. The user downloads a mislabeled file such as evil.jpg.exe and launches it by mistake (but the user does this, not the browser). 2. The file is labeled as image/jpeg but exploits browser bugs to overflow the stack. I don't think either of these is relevant to this finding. Hmm, maybe the first is. Is it possible to describe a more realistic example in this section? If not perhaps it should go. -- Elliotte Rusty Harold elharo@metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
Received on Monday, 30 October 2006 13:54:04 UTC