Re: [secdir] review draft-ietf-httpbis-content-disp-06

Julian Reschke <> Mon, 14 March 2011 19:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AB93B3A6B6B; Mon, 14 Mar 2011 12:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iH5eG0bJV1Bs; Mon, 14 Mar 2011 12:58:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B18723A6B57; Mon, 14 Mar 2011 12:58:57 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 9B0A7C4CA34; Mon, 14 Mar 2011 21:00:20 +0100 (CET)
Message-ID: <>
Date: Mon, 14 Mar 2011 21:00:18 +0100
From: Julian Reschke <>
Organization: greenbytes GmbH
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9
MIME-Version: 1.0
To: Hilarie Orman <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] review draft-ietf-httpbis-content-disp-06
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Mar 2011 19:58:58 -0000

On 14.03.2011 18:58, Hilarie Orman wrote:
> Security Review of
> Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol
>    (HTTP)
> Do not be alarmed.  I have reviewed this document as part of the
> security directorate's ongoing effort to review all IETF documents
> being processed by the IESG. These comments were written primarily for
> the benefit of the security area directors. Document editors and WG
> chairs should treat these comments just like any other last call
> comments.

Hilarie, thanks for the feedback.

> The document specifies the syntax of the content-disposition field and
> its parameters for http responses.  It is based on the MIME
> specification for the same field.
> The Content-Disposition header supports a parameter called "filename",
> the recommended name for saving the content.  That feature is just
> plain dangerous.  A good many exploits are based it.  But, it's not
> really the fault of the protocol.  Protocols don't kill people, people
> clicking "yes" kill themselves.


Furthermore, it's saving web content, not the header field itself. 
Recall that if the C-D header field is not present, the UA will derive 
one from the URI, which can have exactly the same problems (except for 
the path-related ones).

> The document is clearly written, and it does point out many of the
> dangers inherent in trusting arbitrary filenames and file extensions.
> However, I think that this feature will continue to be a major source
> of vulnerabilities.

Out of curiosity: do you believe it's a vulnerability today? Anything 
specific? UA bug reports that haven't been fixed?

>  From a security viewpoint, I think the protocol should restrict
> filenames to ascii alphabetic characters (no "." or "/"), and that if

We can't rule out "."; it just occurs frequently in filenames (think 

We *could* forbid path separators, but that wouldn't mean that we 
wouldn't have to say what to do when you see them.

> the filename does not conform, the receiver SHOULD reject the message
> and send an error code back to the sender.  The sender should not be

As Alexey said, there's no back channel. Also, if sending a 
non-conforming name was actually intentional, complaining about it will 
not achieve anything.

> allowed to specify a file extension.  The receiver SHOULD write the
> files into a quarantined disk area using a temporary filename, the
> file to be released to the recommended name pending manual review.
> But, that would break the world, as would so many security
> recommendations.

Indeed. I'd rather not try to impose normative requirements here when we 
know that UAs won't do it anyway. It's much more important to call out 
the risks.

Best regards, Julian