Le Tue, Sep 11, 2012 at 09:50:26AM +0200, Andreas Tille a écrit : > On Mon, Sep 10, 2012 at 04:45:53PM -0700, Russ Allbery wrote: > > > > > - About security, the discussion on debian-devel leads me to think that > > > there is no need to worry. I included a short comment suggesting that > > > field values should be sanitised as usual. Does anybody see other > > > potential security issues ? > > > > No, your security considerations seem reasonable to me. > > While it is probably very reasonable to do sanity checks as usual the > "as usual" is a hint that the phrase might be redundant. It somehow has > the value as "People parsing debian/copyright should know their job."
Hi Andreas and everybody, In my understanding of http://tools.ietf.org/html/rfc4288#section-4.6, this is what is expected for this section. For a broad readership, the recommendation is not completely tautological, as it indicates that there are best practices for input sanitisation (which may not be the case for more complex or novel security issues). To help convey this message, I changed « and » to « to » in the last sentence: Parsers should therefore follow general practices to sanitise their input. I have requested a pre-submission review to [email protected]. http://lists.debian.org/[email protected] This is not the formal submission so further comments are still very welcome in this thread. Cheers, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
