Julian Reschke wrote:
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-content-disp-06.html#rfc.section.4.3>,
I believe we really should say "SHOULD" in all the three last items:
o Many platforms do not use Internet Media Types ([RFC2046]) to hold
type information in the file system, but rely on filename
extensions instead. Trusting the server-provided file extension
could introduce a privilege escalation when the saved file is
later opened (consider ".exe"). Thus, recipients need to ensure
that a file extension is used that is safe, optimally matching the
media type of the received payload.
-> SHOULD ensure
o Recipients are advised to strip or replace character sequences
that are known to cause confusion both in user interfaces and in
filenames, such as control characters and leading and trailing
whitespace.
-> SHOULD strip or replace
o Other aspects recipients need to be aware of are names that have a
special meaning in the file system or in shell commands, such as
"." and "..", "~", "|", and also device names.
-> ...and SHOULD and ignore or substitute these names...
...the last one is a bit tricky, as what's special really depends on the
operating system...
Everything around filenames can be very tricky --
especially with Filesystems like Microsoft Windows NTFS.
Seemingly sufficient (but factually quite incomplete) guidelines
are going to cause more problems that they solve.
Think of a Filename such as ".\ badfilename.txt ::$DATA"
that does not appear to have leading or trailing space characters.
If you do anything like this in a Windows CMD.EXE:
echo hi there > ".\ badfilename.txt ::$DATA"
echo hi there > "\ badfilename.txt ::$DATA"
echo hi there > " badfilename.txt ::$DATA"
echo hi there > "badfilename.txt ::$DATA"
then you obtain files that Windows Explorer can NOT cope with.
(you can only delete them from the command line, e.g. del *badfilename.txt* )
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf