[Top] [All Lists]

Re: [sieve] Working group last call on draft-ietf-sieve-include

2011-09-26 17:36:15
On Mon, Sep 26, 2011 at 2:06 PM, Alexey Melnikov
<alexey(_dot_)melnikov(_at_)isode(_dot_)com> wrote:
Hi Robert,

Robert Burrell Donkin wrote:

On Sat, Sep 24, 2011 at 4:08 PM, Alexey Melnikov
<alexey(_dot_)melnikov(_at_)isode(_dot_)com> wrote:

Aaron Stone wrote:


In the case of a MUST, it means that a valid includes implementation
imposes a script naming restriction. If a site isn't using
managesieve, would that site really need to accept the name

If you don't make it a MUST, then nobody can be relied upon the rule.

I'm a little unclear why allowing people to rely on this rule should
be seen as good thing...

1. Can anyone think of a use case that could be satisfied best by an
author intentionally including a restricted script name?

ManageSieve script names are quite permissive: basically various control
characters are disallowed. IMHO, disallowing control characters in script
names is a good thing.

2. Allowing implementors to rely on this rule may create a false sense
of security, and so may encourage them to neglect proper checks on
names before accessing their backing store. What are the positive
benefits that outweigh this risk?

Quite the opposite: if the rule is a MUST, then implementations can validate
names and reject invalid ones.

In any case, I think reminding people about potential attacks in "4.
Security Considerations" would be useful, so I would like to see
something like [1] included


[1] Sieve implementations MUST check that script names are safe for
use with their storage system. Any script including a name which could
be used as a vector to attack the system used to store scripts MUST be

This is probably worth adding irrespectively of my comments above.

Agreed, I'll include this language. I also have Stephan's list of his
updates that I missed, so I'll integrate both and post an update.

sieve mailing list