Re: [secdir] review draft-ietf-httpbis-content-disp-06
Hilarie Orman <hilarie@purplestreak.com> Mon, 14 March 2011 18:39 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 293933A68CE; Mon, 14 Mar 2011 11:39:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YRzMGR1Q6NE;
Mon, 14 Mar 2011 11:39:51 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231])
by core3.amsl.com (Postfix) with ESMTP id 5E9433A68C3;
Mon, 14 Mar 2011 11:39:51 -0700 (PDT)
Received: from mx01.mta.xmission.com ([166.70.13.211]) by
out01.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69)
(envelope-from <hilarie@purplestreak.com>) id 1PzChd-0001u3-7f;
Mon, 14 Mar 2011 12:41:13 -0600
Received: from mta2.zcs.xmission.com ([166.70.13.66]) by mx01.mta.xmission.com
with esmtp (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id
1PzChd-0002oC-4C; Mon, 14 Mar 2011 12:41:13 -0600
Received: from zms03.zcs.xmission.com (zms03.zcs.xmission.com [166.70.13.73])
by mta2.zcs.xmission.com (Postfix) with ESMTP id 6E1A860017F;
Mon, 14 Mar 2011 12:41:12 -0600 (MDT)
Date: Mon, 14 Mar 2011 12:41:11 -0600 (MDT)
From: Hilarie Orman <hilarie@purplestreak.com>
To: stbryant@cisco.com
Message-ID: <719652105.466767.1300128071617.JavaMail.root@zms03.zcs>
In-Reply-To: <4D7E5ED7.9020404@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [166.70.13.71]
X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0
(Linux)/6.0.10_GA_2692)
X-SA-Exim-Connect-IP: 166.70.13.66
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-SA-Exim-Scanned: No (on mx01.mta.xmission.com);
SAEximRunCond expanded to false
Cc: secdir@ietf.org, draft-ietf-httpbis-content-disp@tools.ietf.org,
iesg@ietf.org, julian reschke <julian.reschke@greenbytes.de>
Subject: Re: [secdir] review draft-ietf-httpbis-content-disp-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 18:39:52 -0000
Oh, all right, you can use numbers, too. Slippery slope and all. Hilarie ----- Original Message ----- From: "Stewart Bryant" <stbryant@cisco.com> To: "Hilarie Orman" <ho@alum.mit.edu> Cc: "julian reschke" <julian.reschke@greenbytes.de>de>, draft-ietf-httpbis-content-disp-06@tools.ietf.org, iesg@ietf.org, secdir@ietf.org Sent: Monday, March 14, 2011 12:30:47 PM Subject: Re: [secdir] review draft-ietf-httpbis-content-disp-06 > > From a security viewpoint, I think the protocol should restrict > filenames to ascii alphabetic characters (no "." or "/"), and that if > the filename does not conform, the receiver SHOULD reject the message > and send an error code back to the sender. The sender should not be > allowed to specify a file extension. The receiver SHOULD write the > files into a quarantined disk area using a temporary filename, the > file to be released to the recommended name pending manual review. > But, that would break the world, as would so many security > recommendations. Surely you mean ascii alpha-numeric characters? Text fixing this would also address the security component of my Discuss. - Stewart _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir
- [secdir] review draft-ietf-httpbis-content-disp-06 Hilarie Orman
- Re: [secdir] review draft-ietf-httpbis-content-di… Stewart Bryant
- Re: [secdir] review draft-ietf-httpbis-content-di… Hilarie Orman
- Re: [secdir] review draft-ietf-httpbis-content-di… Alexey Melnikov
- Re: [secdir] review draft-ietf-httpbis-content-di… Julian Reschke
- Re: [secdir] review draft-ietf-httpbis-content-di… Julian Reschke