[Standards] UPDATED: XEP-0363 (HTTP File Upload)

Georg Lukas georg at op-co.de
Tue Nov 28 19:06:36 UTC 2017

* XMPP Extensions Editor <editor at xmpp.org> [2017-02-02 00:14]:
> Version 0.3.0 of XEP-0363 (HTTP File Upload) has been released.

from a brief reading of the XEP, it might be a good idea to add to the
security consideration a sentence or two about the inclusion of new-line
and other illegal characters in the <header> name, value and the slot
URLs, and how a client should handle those.

There are some interesting HTTP-level attacks related to new-lines [0],
and a malicious server might attempt a kind of blind scan by responding
with slot URLs on the client's LAN and waiting for repeated slot
requests. I'm not sure though if this secon one is a practical risk,
and whether anything can be done about it.


[0] http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html
|| http://op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
|| gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
|| Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20171128/de7637e5/attachment.sig>

More information about the Standards mailing list