[Standards] UPDATED: XEP-0363 (HTTP File Upload)
georg at op-co.de
Tue Nov 28 19:06:36 UTC 2017
* XMPP Extensions Editor <editor at xmpp.org> [2017-02-02 00:14]:
> Version 0.3.0 of XEP-0363 (HTTP File Upload) has been released.
from a brief reading of the XEP, it might be a good idea to add to the
security consideration a sentence or two about the inclusion of new-line
and other illegal characters in the <header> name, value and the slot
URLs, and how a client should handle those.
There are some interesting HTTP-level attacks related to new-lines ,
and a malicious server might attempt a kind of blind scan by responding
with slot URLs on the client's LAN and waiting for repeated slot
requests. I'm not sure though if this secon one is a practical risk,
and whether anything can be done about it.
|| http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++
|| gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ ||
|| Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the Standards