On 02.03.2011 15:11, Julian Reschke wrote:
...
Proposed change for the three items in 4.3:
o Many platforms do not use Internet Media Types ([RFC2046]) to hold
type information in the file system, but rely on filename
extensions instead. Trusting the server-provided file extension
could introduce a privilege escalation when the saved file is
later opened (consider ".exe"). Thus, recipients SHOULD ensure
that a file extension is used that is safe, optimally matching the
media type of the received payload.
o Recipients SHOULD strip or replace character sequences that are
known to cause confusion both in user interfaces and in filenames,
such as control characters and leading and trailing whitespace.
o Other aspects recipients need to be aware of are names that have a
special meaning in the file system or in shell commands, such as
"." and "..", "~", "|", and also device names. Recipients SHOULD
ignore or substitute names like these.
(see
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/278/i278.diff>).
...
...applied with
<http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1152>; I plan to
submit a -07 draft soon after LC ends.
Best regards, Julian
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf