Re: [secdir] review draft-ietf-httpbis-content-disp-06

Hilarie Orman <hilarie@purplestreak.com> Mon, 14 March 2011 18:39 UTC

Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 293933A68CE; Mon, 14 Mar 2011 11:39:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YRzMGR1Q6NE; Mon, 14 Mar 2011 11:39:51 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) by core3.amsl.com (Postfix) with ESMTP id 5E9433A68C3; Mon, 14 Mar 2011 11:39:51 -0700 (PDT)
Received: from mx01.mta.xmission.com ([166.70.13.211]) by out01.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1PzChd-0001u3-7f; Mon, 14 Mar 2011 12:41:13 -0600
Received: from mta2.zcs.xmission.com ([166.70.13.66]) by mx01.mta.xmission.com with esmtp (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1PzChd-0002oC-4C; Mon, 14 Mar 2011 12:41:13 -0600
Received: from zms03.zcs.xmission.com (zms03.zcs.xmission.com [166.70.13.73]) by mta2.zcs.xmission.com (Postfix) with ESMTP id 6E1A860017F; Mon, 14 Mar 2011 12:41:12 -0600 (MDT)
Date: Mon, 14 Mar 2011 12:41:11 -0600 (MDT)
From: Hilarie Orman <hilarie@purplestreak.com>
To: stbryant@cisco.com
Message-ID: <719652105.466767.1300128071617.JavaMail.root@zms03.zcs>
In-Reply-To: <4D7E5ED7.9020404@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [166.70.13.71]
X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Linux)/6.0.10_GA_2692)
X-SA-Exim-Connect-IP: 166.70.13.66
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-SA-Exim-Scanned: No (on mx01.mta.xmission.com); SAEximRunCond expanded to false
Cc: secdir@ietf.org, draft-ietf-httpbis-content-disp@tools.ietf.org, iesg@ietf.org, julian reschke <julian.reschke@greenbytes.de>
Subject: Re: [secdir] review draft-ietf-httpbis-content-disp-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 18:39:52 -0000

Oh, all right, you can use numbers, too.  Slippery slope and all.

Hilarie

----- Original Message -----
From: "Stewart Bryant" <stbryant@cisco.com>
To: "Hilarie Orman" <ho@alum.mit.edu>
Cc: "julian reschke" <julian.reschke@greenbytes.de>de>, draft-ietf-httpbis-content-disp-06@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Sent: Monday, March 14, 2011 12:30:47 PM
Subject: Re: [secdir] review draft-ietf-httpbis-content-disp-06


> > From a security viewpoint, I think the protocol should restrict
> filenames to ascii alphabetic characters (no "." or "/"), and that if
> the filename does not conform, the receiver SHOULD reject the message
> and send an error code back to the sender.  The sender should not be
> allowed to specify a file extension.  The receiver SHOULD write the
> files into a quarantined disk area using a temporary filename, the
> file to be released to the recommended name pending manual review.
> But, that would break the world, as would so many security
> recommendations.
Surely you mean ascii alpha-numeric characters?

Text fixing this would also address the security component of my Discuss.

- Stewart
_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir