Hi Robert,
Robert Burrell Donkin wrote:
On Sat, Sep 24, 2011 at 4:08 PM, Alexey Melnikov
<alexey(_dot_)melnikov(_at_)isode(_dot_)com> wrote:
Aaron Stone wrote:
<snip>
In the case of a MUST, it means that a valid includes implementation
imposes a script naming restriction. If a site isn't using
managesieve, would that site really need to accept the name
restrictions?
If you don't make it a MUST, then nobody can be relied upon the rule.
I'm a little unclear why allowing people to rely on this rule should
be seen as good thing...
1. Can anyone think of a use case that could be satisfied best by an
author intentionally including a restricted script name?
ManageSieve script names are quite permissive: basically various control
characters are disallowed. IMHO, disallowing control characters in
script names is a good thing.
2. Allowing implementors to rely on this rule may create a false sense
of security, and so may encourage them to neglect proper checks on
names before accessing their backing store. What are the positive
benefits that outweigh this risk?
Quite the opposite: if the rule is a MUST, then implementations can
validate names and reject invalid ones.
In any case, I think reminding people about potential attacks in "4.
Security Considerations" would be useful, so I would like to see
something like [1] included
Robert
[1] Sieve implementations MUST check that script names are safe for
use with their storage system. Any script including a name which could
be used as a vector to attack the system used to store scripts MUST be
rejected.
This is probably worth adding irrespectively of my comments above.
_______________________________________________
sieve mailing list
sieve(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/sieve