On 02.03.2011 15:11, Julian Reschke wrote:
... Proposed change for the three items in 4.3: o Many platforms do not use Internet Media Types ([RFC2046]) to hold type information in the file system, but rely on filename extensions instead. Trusting the server-provided file extension could introduce a privilege escalation when the saved file is later opened (consider ".exe"). Thus, recipients SHOULD ensure that a file extension is used that is safe, optimally matching the media type of the received payload. o Recipients SHOULD strip or replace character sequences that are known to cause confusion both in user interfaces and in filenames, such as control characters and leading and trailing whitespace. o Other aspects recipients need to be aware of are names that have a special meaning in the file system or in shell commands, such as "." and "..", "~", "|", and also device names. Recipients SHOULD ignore or substitute names like these. (see <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/278/i278.diff>). ...
...applied with <http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1152>; I plan to submit a -07 draft soon after LC ends.
Best regards, Julian _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf