Changeset 1202


Ignore:
Timestamp:
Mar 17, 2011, 9:34:09 AM (8 years ago)
Author:
julian.reschke@…
Message:

Strengthen file extension handling requirement

Location:
draft-ietf-httpbis-content-disp/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis-content-disp/latest/draft-ietf-httpbis-content-disp.html

    r1201 r1202  
    643643         <li>
    644644            <p>Many platforms do not use Internet Media Types (<a href="#RFC2046" id="rfc.xref.RFC2046.1"><cite title="Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types">[RFC2046]</cite></a>) to hold type information in the file system, but rely on filename extensions instead. Trusting the server-provided file
    645                extension could introduce a privilege escalation when the saved file is later opened (consider ".exe"). Thus, recipients <em class="bcp14">SHOULD</em> ensure that a file extension is used that is safe, optimally matching the media type of the received payload.
     645               extension could introduce a privilege escalation when the saved file is later opened (consider ".exe"). Thus, recipients which
     646               make use of file extensions to determine the media type <em class="bcp14">MUST</em> ensure that a file extension is used that is safe, optimally matching the media type of the received payload.
    646647            </p>
    647648         </li>
     
    10411042      </p>
    10421043      <h2 id="rfc.section.E.13"><a href="#rfc.section.E.13">E.13</a>&nbsp;<a id="changes.since.08" href="#changes.since.08">Since draft-ietf-httpbis-content-disp-08</a></h2>
    1043       <p id="rfc.section.E.13.p.1">Update: Internet Explorer 9 is released. Various editorial improvements. Add US-ASCII reference.</p>
     1044      <p id="rfc.section.E.13.p.1">Update: Internet Explorer 9 is released. Various editorial improvements. Add US-ASCII reference. Strengthen file extension
     1045         handling requirement to MUST for those recipients that actually use file extensions to map media types.
     1046      </p>
    10441047      <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1>
    10451048      <p class="noprint"><a href="#rfc.index.C">C</a> <a href="#rfc.index.H">H</a> <a href="#rfc.index.I">I</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.U">U</a>
  • draft-ietf-httpbis-content-disp/latest/draft-ietf-httpbis-content-disp.xml

    r1201 r1202  
    266266      extensions instead. Trusting the server-provided file extension could
    267267      introduce a privilege escalation when the saved file is later opened
    268       (consider ".exe"). Thus, recipients &SHOULD; ensure that a file extension
     268      (consider ".exe"). Thus, recipients which make use of file extensions
     269      to determine the media type &MUST; ensure that a file extension
    269270      is used that is safe, optimally matching the media type of the received
    270271      payload.
     
    10931094  Various editorial improvements.
    10941095  Add US-ASCII reference.
     1096  Strengthen file extension handling requirement to MUST for those recipients
     1097  that actually use file extensions to map media types.
    10951098</t>
    10961099</section>
Note: See TracChangeset for help on using the changeset viewer.