It appears that Paul Wouters via Datatracker <[email protected]> said: >Section states: > > If a report generator needs to re-send a report, the system > MUST use the same filename as the original report. This would > allow the receiver to overwrite the data from the original, > or discard second instance of the report. > >It seems dangerous to use file names based on received strings from unknown >sources, and I don't think an RFC should recommend to use such strings as >filenames, unless proper warnings are in place to exclude harmful ones (eg >"../../../").
Section 2.5.2 describes the format of the filename for an attached XML report just above that paragraph. I don't know anyone who mechanically extracts them and blindly uses the name as an actual local filename. It's really a long complicated token but it's called a filename in the RFC 7489 and I think it would be needlessly confusing to change it now. R's, John _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
