* XMPP Extensions Editor <[email protected]> [2017-02-02 00:14]: > Version 0.3.0 of XEP-0363 (HTTP File Upload) has been released.
from a brief reading of the XEP, it might be a good idea to add to the security consideration a sentence or two about the inclusion of new-line and other illegal characters in the <header> name, value and the slot URLs, and how a client should handle those. There are some interesting HTTP-level attacks related to new-lines [0], and a malicious server might attempt a kind of blind scan by responding with slot URLs on the client's LAN and waiting for repeated slot requests. I'm not sure though if this secon one is a practical risk, and whether anything can be done about it. Georg [0] http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html -- || http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++ || gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ || || Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? || ++ IRCnet OFTC OPN ||_________________________________________________||
signature.asc
Description: PGP signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
