Re: [secdir] review draft-ietf-httpbis-content-disp-06

Julian Reschke <julian.reschke@greenbytes.de> Mon, 14 March 2011 19:58 UTC

Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB93B3A6B6B; Mon, 14 Mar 2011 12:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iH5eG0bJV1Bs; Mon, 14 Mar 2011 12:58:57 -0700 (PDT)
Received: from donbot.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by core3.amsl.com (Postfix) with ESMTP id B18723A6B57; Mon, 14 Mar 2011 12:58:57 -0700 (PDT)
Received: from [192.168.178.33] (unknown [80.143.179.239]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by donbot.greenbytes.de (Postfix) with ESMTPSA id 9B0A7C4CA34; Mon, 14 Mar 2011 21:00:20 +0100 (CET)
Message-ID: <4D7E73D2.5040507@greenbytes.de>
Date: Mon, 14 Mar 2011 21:00:18 +0100
From: Julian Reschke <julian.reschke@greenbytes.de>
Organization: greenbytes GmbH
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9
MIME-Version: 1.0
To: Hilarie Orman <ho@alum.mit.edu>
References: <201103141758.p2EHwkmS032697@fermat.rhmr.com>
In-Reply-To: <201103141758.p2EHwkmS032697@fermat.rhmr.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-httpbis-content-disp-06@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] review draft-ietf-httpbis-content-disp-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 19:58:58 -0000

On 14.03.2011 18:58, Hilarie Orman wrote:
> Security Review of
>
> Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol
>    (HTTP)
>
> Do not be alarmed.  I have reviewed this document as part of the
> security directorate's ongoing effort to review all IETF documents
> being processed by the IESG. These comments were written primarily for
> the benefit of the security area directors. Document editors and WG
> chairs should treat these comments just like any other last call
> comments.

Hilarie, thanks for the feedback.

> The document specifies the syntax of the content-disposition field and
> its parameters for http responses.  It is based on the MIME
> specification for the same field.
>
> The Content-Disposition header supports a parameter called "filename",
> the recommended name for saving the content.  That feature is just
> plain dangerous.  A good many exploits are based it.  But, it's not
> really the fault of the protocol.  Protocols don't kill people, people
> clicking "yes" kill themselves.

Indeed.

Furthermore, it's saving web content, not the header field itself. 
Recall that if the C-D header field is not present, the UA will derive 
one from the URI, which can have exactly the same problems (except for 
the path-related ones).

> The document is clearly written, and it does point out many of the
> dangers inherent in trusting arbitrary filenames and file extensions.
> However, I think that this feature will continue to be a major source
> of vulnerabilities.

Out of curiosity: do you believe it's a vulnerability today? Anything 
specific? UA bug reports that haven't been fixed?

>  From a security viewpoint, I think the protocol should restrict
> filenames to ascii alphabetic characters (no "." or "/"), and that if

We can't rule out "."; it just occurs frequently in filenames (think 
"foo.tar.gz").

We *could* forbid path separators, but that wouldn't mean that we 
wouldn't have to say what to do when you see them.

> the filename does not conform, the receiver SHOULD reject the message
> and send an error code back to the sender.  The sender should not be

As Alexey said, there's no back channel. Also, if sending a 
non-conforming name was actually intentional, complaining about it will 
not achieve anything.

> allowed to specify a file extension.  The receiver SHOULD write the
> files into a quarantined disk area using a temporary filename, the
> file to be released to the recommended name pending manual review.
> But, that would break the world, as would so many security
> recommendations.

Indeed. I'd rather not try to impose normative requirements here when we 
know that UAs won't do it anyway. It's much more important to call out 
the risks.

Best regards, Julian