From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 14 03:47:13 2023 Received: (at submit) by debbugs.gnu.org; 14 Sep 2023 07:47:14 +0000 Received: from localhost ([127.0.0.1]:37217 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qgh4A-00087k-BG for submit@debbugs.gnu.org; Thu, 14 Sep 2023 03:47:13 -0400 Received: from lists.gnu.org ([2001:470:142::17]:48486) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qgfYf-000566-Pv for submit@debbugs.gnu.org; Thu, 14 Sep 2023 02:10:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgfYU-0006Yf-OH for bug-gnu-emacs@gnu.org; Thu, 14 Sep 2023 02:10:22 -0400 Received: from challenge-bot.com ([2602:fffa:fff:108a:0:16:3e15:92b8]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgfYS-0006f3-1v for bug-gnu-emacs@gnu.org; Thu, 14 Sep 2023 02:10:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=challenge-bot.com; s=20180430; h=Content-Type:MIME-Version:Message-ID: Subject:Cc:To:From:Date:From; bh=gMVaPkXo8wS/vpujQjxyb45y4cWJsMwRAzmEjOEYiwo= ; b=naO3qzwMLXpkeBDgoYEgGasgZjg17zyhv+fsFN8HfiW87A1GpTk5PPlTVevBsR5kwb3ThUnlF baQBqH8wLD0CMRPQZU2X+skPUSZVC/gduyL7hMK5uIQPE4dagIsJnFEwGzxjkCSxZq18oQb5GBKFG G9RRSgIBV8YlUXzkAYubA=; Received: from ozzloy by challenge-bot.com with local (Exim 4.94.2) (envelope-from ) id 1qgfYJ-00GgMZ-P2; Wed, 13 Sep 2023 23:10:11 -0700 Date: Wed, 13 Sep 2023 23:10:11 -0700 From: daniel watson To: bug-gnu-emacs@gnu.org Subject: [PATCH] ; send filename, not full path, on EWW form submit Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="wNG0Lg4LmFGGOPcM" Content-Disposition: inline Received-SPF: pass client-ip=2602:fffa:fff:108a:0:16:3e15:92b8; envelope-from=ozzloy@challenge-bot.com; helo=challenge-bot.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Thu, 14 Sep 2023 03:47:08 -0400 Cc: daniel watson X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) --wNG0Lg4LmFGGOPcM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline 0. in one terminal, run this http server https://git.sr.ht/~ozzloy/emacs-bug-63941/tree/master/item/server.py 1. in another terminal, run socat -v tcp-listen:8086,fork tcp:localhost:8085 2. browse to the page with EWW, M-x eww localhost:8086 3. put the cursor on the word "Browse" 4. select any file to which you have read access for uploading 5. put cursor on "Submit" 6. observe the full path of the file is sent to the server. this is visible in both the python output and the socat output. i'm including the diff inline to make it easier to review without downloading the attached file. --- lisp/net/eww.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/net/eww.el b/lisp/net/eww.el index 4ddda216afc..f28273dcc58 100644 --- a/lisp/net/eww.el +++ b/lisp/net/eww.el @@ -1849,7 +1849,7 @@ eww-submit (insert-file-contents file) (buffer-string))) (cons "name" name) - (cons "filename" file)) + (cons "filename" (file-name-nondirectory file))) values))) ((equal (plist-get input :type) "submit") ;; We want the values from buttons if we hit a button if -- 2.39.2 In GNU Emacs 29.1 (build 2, x86_64-pc-linux-gnu, GTK+ Version 3.24.20, cairo version 1.16.0) of 2023-08-03 built on bos03-amd64-031 Repository revision: cf57ec68c2a5ac5b721f445928869ca14232a4d1 Repository branch: master Windowing system distributor 'The X.Org Foundation', version 11.0.12101007 System Description: Ubuntu 23.04 Configured using: 'configure --prefix=/snap/emacs/current/usr --with-x-toolkit=gtk3 --without-xaw3d --with-modules --with-cairo --with-native-compilation=aot --with-xinput2 --with-tree-sitter --with-json 'CFLAGS=-isystem/build/emacs/parts/emacs/install/usr/include -isystem/build/emacs/parts/emacs/install/usr/include/x86_64-linux-gnu -isystem/build/emacs/stage/usr/include -O2' 'CPPFLAGS=-isystem/build/emacs/parts/emacs/install/usr/include -isystem/build/emacs/parts/emacs/install/usr/include/x86_64-linux-gnu -isystem/build/emacs/stage/usr/include' 'LDFLAGS=-L/build/emacs/parts/emacs/install/lib -L/build/emacs/parts/emacs/install/usr/lib -L/build/emacs/parts/emacs/install/lib/x86_64-linux-gnu -L/build/emacs/parts/emacs/install/usr/lib/x86_64-linux-gnu -L/build/emacs/stage/usr/lib'' --wNG0Lg4LmFGGOPcM Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0001-send-filename-not-full-path-on-EWW-form-submit.patch" >From 7b360d91a6667034da7c682af01ee1008d052c40 Mon Sep 17 00:00:00 2001 From: Daniel Watson Date: Tue, 12 Sep 2023 00:06:14 -0700 Subject: [PATCH] ; send filename, not full path, on EWW form submit ; * lisp/net/eww.el (eww-submit): Instead of sending the entire file ; path, send just the filename and not the directory. This is the ; behavior seen in other clients, such as firefox, chromium, and curl. ; It keeps information about the users directory structure private. --- lisp/net/eww.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/net/eww.el b/lisp/net/eww.el index 4ddda216afc..f28273dcc58 100644 --- a/lisp/net/eww.el +++ b/lisp/net/eww.el @@ -1849,7 +1849,7 @@ eww-submit (insert-file-contents file) (buffer-string))) (cons "name" name) - (cons "filename" file)) + (cons "filename" (file-name-nondirectory file))) values))) ((equal (plist-get input :type) "submit") ;; We want the values from buttons if we hit a button if -- 2.39.2 --wNG0Lg4LmFGGOPcM-- From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 15 07:47:27 2023 Received: (at 65973) by debbugs.gnu.org; 15 Sep 2023 11:47:27 +0000 Received: from localhost ([127.0.0.1]:42283 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qh7IE-0002fZ-UZ for submit@debbugs.gnu.org; Fri, 15 Sep 2023 07:47:27 -0400 Received: from mail-lj1-x22d.google.com ([2a00:1450:4864:20::22d]:48325) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qh7IA-0002fK-Dt for 65973@debbugs.gnu.org; Fri, 15 Sep 2023 07:47:25 -0400 Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2bfb12b24e5so32279811fa.0 for <65973@debbugs.gnu.org>; Fri, 15 Sep 2023 04:47:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1694778429; x=1695383229; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=DfZAlUQHZ28bsDr45fRIZ/zly43Q2FUiWyQpkphKhrg=; b=hu/iErtSXoscf4O9zogaeiZEf+SJjHEV3KQFg+j6Kas64z2Tlov4gmBono2dyyqotw 7GEIaZ6uSPc+DhuYBN2kYMbXAXLSb1mGeVoUnjU6chVLdvzBd/jRsGJxeaY636rAumNq NuUeXS2HXlBnpzZAMy/l05Cp0nPYtFQtZdPhN/Xb4HGFHHICEqzLMgZppAPn8CFzzdJn /cilV3z41QDOczowW9Klg73qs/95W86bEztxUf7IA+uniYgnacOjoU9wDEKipz73+mQN i8ouxZRt8r8CruxQpQzRshuVphfLJzH0/fLe7rZDA1jYRBcBeBIhM/D3QrqFj03XuGQE czcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694778429; x=1695383229; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DfZAlUQHZ28bsDr45fRIZ/zly43Q2FUiWyQpkphKhrg=; b=ajCQE2h3OgjF8pexSCYshZtmXSC1SMfBhKzQDzDvyKDzo38xkhIb8VyZdQwYiNlicJ CCZTTG0xsbOnZkzU5aZEXhQPiDsllFtfV/qD/xrR2fRVcqcCq4zxFjTFpBqRLUrZ2xHW IybC/mdTc129bs49b7/UqMYkk53q9yFKBTN7rta4X+/J6r74teEfC9kS2mGBPFCzTfgy bfx9k0EAyHFtGRPCbiE2c+ntjCL9x+J/VG27c8R3KIWDMbstzLaDpi1VqCY/CKJ13QHM X31QjIJpiacqVT4GzCsoX2Emvi/ZzNJVyRF7sG+E/bMb6scB7ARqCwHoZwAiWr8emZc7 yhoA== X-Gm-Message-State: AOJu0YwZjDkKVPNSpXTxo2FDpjGQ36B57n19eLb0tp59SMAuKOQs6LBQ XYgLhJPlc21dTmgOthRqor5Y7Vxpe0DcFO3dHuw= X-Google-Smtp-Source: AGHT+IFjzSZBiVYTDO8KcE9yt/VwSRFyQX5CkE9xe+Py2jIEqBONh78o3cmfM7n4X2Lw1jUUaQu6HQF0WGKa5lUG4io= X-Received: by 2002:a2e:7d0c:0:b0:2b6:e2aa:8fbc with SMTP id y12-20020a2e7d0c000000b002b6e2aa8fbcmr1496089ljc.8.1694778429396; Fri, 15 Sep 2023 04:47:09 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 15 Sep 2023 04:47:08 -0700 From: Stefan Kangas In-Reply-To: (daniel watson's message of "Wed, 13 Sep 2023 23:10:11 -0700") References: MIME-Version: 1.0 Date: Fri, 15 Sep 2023 04:47:08 -0700 Message-ID: Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit To: daniel watson Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 65973 Cc: 65973@debbugs.gnu.org, daniel watson X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) daniel watson writes: > i'm including the diff inline to make it easier to review without > downloading the attached file. Most (or all?) people reviewing patches use Emacs mail readers, so we have no trouble reviewing attached files. Getting it as an attachment actually makes things easier for us, as our tools are adapted to that workflow. That's the main reason why we have a preference for that format. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 19 05:15:35 2023 Received: (at 65973) by debbugs.gnu.org; 19 Sep 2023 09:15:35 +0000 Received: from localhost ([127.0.0.1]:55383 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qiWpP-0005Hb-Or for submit@debbugs.gnu.org; Tue, 19 Sep 2023 05:15:34 -0400 Received: from [2602:fffa:fff:108a:0:16:3e15:92b8] (port=54888 helo=mailserver.each.do) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qiUxh-0001dx-66 for 65973@debbugs.gnu.org; Tue, 19 Sep 2023 03:16:01 -0400 Received: from ozzloy by mailserver.each.do with local (Exim 4.94.2) (envelope-from ) id 1qiUxW-004J1u-0s; Tue, 19 Sep 2023 00:15:46 -0700 Date: Tue, 19 Sep 2023 00:15:45 -0700 From: daniel watson To: Stefan Kangas Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Fri, Sep 15, 2023 at 04:47:08AM -0700, Stefan Kangas wrote: > Most (or all?) people reviewing patches use Emacs mail readers, so we > have no trouble reviewing attached files. Getting it as an atta [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Debbugs-Envelope-To: 65973 X-Mailman-Approved-At: Tue, 19 Sep 2023 05:15:29 -0400 Cc: 65973@debbugs.gnu.org, daniel watson X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) On Fri, Sep 15, 2023 at 04:47:08AM -0700, Stefan Kangas wrote: > Most (or all?) people reviewing patches use Emacs mail readers, so we > have no trouble reviewing attached files. Getting it as an attachment > actually makes things easier for us, as our tools are adapted to that > workflow. That's the main reason why we have a preference for that > format. that makes sense. i want to get my email setup like that. the inline patch was included for easier viewing in the browser and not as a replacement for the attachment, or endorsing skipping the attachment. so i'm glad you clarified on the last bug report, when i got help from people, i found myself linking to both the bug report page, and separately to another page where they could view the code in-browser. maybe the bug report page https://debbugs.gnu.org/cgi/bugreport.cgi?bug=65973 could display the attached patch in addition to having a download link. the source code for this page has not been touched in years though, so that makes me think it will be difficult to contribute a change. thanks for the assistance with this and the prior bug! From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 02 10:03:02 2023 Received: (at submit) by debbugs.gnu.org; 2 Dec 2023 15:03:02 +0000 Received: from localhost ([127.0.0.1]:58412 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r9RWH-0004Cf-Hg for submit@debbugs.gnu.org; Sat, 02 Dec 2023 10:03:02 -0500 Received: from lists.gnu.org ([2001:470:142::17]:48002) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r9RWF-0004CM-E7 for submit@debbugs.gnu.org; Sat, 02 Dec 2023 10:03:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r9RVw-0006Nn-T0 for bug-gnu-emacs@gnu.org; Sat, 02 Dec 2023 10:02:43 -0500 Received: from mail-ot1-x331.google.com ([2607:f8b0:4864:20::331]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1r9RVu-0007hl-Id for bug-gnu-emacs@gnu.org; Sat, 02 Dec 2023 10:02:40 -0500 Received: by mail-ot1-x331.google.com with SMTP id 46e09a7af769-6d8750718adso645784a34.0 for ; Sat, 02 Dec 2023 07:02:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701529356; x=1702134156; darn=gnu.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Wcr+VdE2lbwZZqabc+gJ6SjIDEf+7gp9hM+zl/z8gTA=; b=fHppf5BfFkc5U3dvnlMlCc3mCTDdri/0nyy6tTXI0YLMRGtm28c7ePVbc09r9n8O3y 6yXzyyn2et/RjquIqRigXgjeiFH1uJV2pE82o8+kn0hkKBCt7k9xMr8P2qEbyl0dX2FI OjzVYaNwkk/XNb+fXF1m7rGEsXi/vt9QCa+80AnHBVX4A6irRuQfM1Eg86eg1G8EBUSL W/uZqupWjeq0BEM0HPg7Npd3FntLsRSaUR2u2Z5u6QpS3X8JiKK9n1hOZQuqVtO8Hk6/ /HG9nTEb42691izyvfjIl4QnA/fz9TuPoOXkvlbxeyrxmjR5Ol1Vz0jLTwrhnX6NUpGE 3dhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701529356; x=1702134156; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Wcr+VdE2lbwZZqabc+gJ6SjIDEf+7gp9hM+zl/z8gTA=; b=Vn4ZwIRGZVJ0zBCrCrbU0YFieBc6mI+O1kQ5RP3WzKHtQwiKxnXNVZlABAsIvcDdxV /jBp1dUknsgRbuhiqyZHddsAe8l7P7WWNShyjvGFOFuBzYfkx8CZqL8aXkKg+8IVVHBy ArSamHoNeCqOZ0CSGAXzpHdMqZP+IsRFbMrddw177Jl40GwsCKzCcuo8wXY627TpDZQ2 J6whFjRsm5JVFLDwj3uyiOYiJIjZkjVPrymbILVSyNE7nEqvYfP97C0FRxYlL9+TvDOm WcGzjdA/d7sOIBzvssge8zMXZEsXnKOYuqe0kcYhIqU2tCeBBiW97LjpfWoKo4LSpjYw vY7Q== X-Gm-Message-State: AOJu0YyEhin8uGAlONswlEFqnT/VppC9IzmURLQ59j7a7BwVeCOlz7Uw 3/6QxdkG4/385thi2/p7DZnotf2pneVIOIh25+ZPoBNL X-Google-Smtp-Source: AGHT+IG2qdsetdJ6ow0mpzcbbdEO1Ge9ID/6Ay+d0MlnhlrY2emhD19XirgEWLOkfyV6c0bH0JhFowmZWuxoBdqmE+k= X-Received: by 2002:a05:6870:649e:b0:1fa:fff4:5a15 with SMTP id cz30-20020a056870649e00b001fafff45a15mr1823160oab.45.1701529356209; Sat, 02 Dec 2023 07:02:36 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: ozzloy Date: Sat, 2 Dec 2023 07:02:20 -0800 Message-ID: Subject: Re: [PATCH] ; send filename, not full path, on EWW form submit To: daniel watson Content-Type: multipart/alternative; boundary="000000000000da1404060b882ce4" Received-SPF: pass client-ip=2607:f8b0:4864:20::331; envelope-from=ozzloy@gmail.com; helo=mail-ot1-x331.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: bug-gnu-emacs@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --000000000000da1404060b882ce4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable bump On Wed, Sep 13, 2023 at 11:10=E2=80=AFPM daniel watson wrote: > > 0. in one terminal, run this http server > https://git.sr.ht/~ozzloy/emacs-bug-63941/tree/master/item/server.py > 1. in another terminal, run > socat -v tcp-listen:8086,fork tcp:localhost:8085 > 2. browse to the page with EWW, > M-x eww localhost:8086 > 3. put the cursor on the word "Browse" > 4. select any file to which you have read access for uploading > 5. put cursor on "Submit" > 6. observe the full path of the file is sent to the server. this is > visible in both the python output and the socat output. > > i'm including the diff inline to make it easier to review without > downloading the attached file. > > --- > lisp/net/eww.el | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lisp/net/eww.el b/lisp/net/eww.el > index 4ddda216afc..f28273dcc58 100644 > --- a/lisp/net/eww.el > +++ b/lisp/net/eww.el > @@ -1849,7 +1849,7 @@ eww-submit > (insert-file-contents file) > (buffer-string))) > (cons "name" name) > - (cons "filename" file)) > + (cons "filename" (file-name-nondirectory file)= )) > values))) > ((equal (plist-get input :type) "submit") > ;; We want the values from buttons if we hit a button if > -- > 2.39.2 > > > > > In GNU Emacs 29.1 (build 2, x86_64-pc-linux-gnu, GTK+ Version 3.24.20, > cairo version 1.16.0) of 2023-08-03 built on bos03-amd64-031 > Repository revision: cf57ec68c2a5ac5b721f445928869ca14232a4d1 > Repository branch: master > Windowing system distributor 'The X.Org Foundation', version 11.0.1210100= 7 > System Description: Ubuntu 23.04 > > Configured using: > 'configure --prefix=3D/snap/emacs/current/usr --with-x-toolkit=3Dgtk3 > --without-xaw3d --with-modules --with-cairo > --with-native-compilation=3Daot --with-xinput2 --with-tree-sitter > --with-json > 'CFLAGS=3D-isystem/build/emacs/parts/emacs/install/usr/include > -isystem/build/emacs/parts/emacs/install/usr/include/x86_64-linux-gnu > -isystem/build/emacs/stage/usr/include -O2' > 'CPPFLAGS=3D-isystem/build/emacs/parts/emacs/install/usr/include > -isystem/build/emacs/parts/emacs/install/usr/include/x86_64-linux-gnu > -isystem/build/emacs/stage/usr/include' > 'LDFLAGS=3D-L/build/emacs/parts/emacs/install/lib > -L/build/emacs/parts/emacs/install/usr/lib > -L/build/emacs/parts/emacs/install/lib/x86_64-linux-gnu > -L/build/emacs/parts/emacs/install/usr/lib/x86_64-linux-gnu > -L/build/emacs/stage/usr/lib'' > > > --000000000000da1404060b882ce4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
bump

On Wed, Sep 13, 2023 at 11:10=E2=80=AFPM daniel wa= tson <ozzloy@challenge-bot.c= om> wrote:
https://git.sr.ht/~= ozzloy/emacs-bug-63941/tree/master/item/server.py
1. in another terminal, run
=C2=A0 =C2=A0socat -v tcp-listen:8086,fork tcp:localhost:8085
2. browse to the page with EWW,
=C2=A0 =C2=A0M-x eww <ENTER> localhost:8086 <ENTER>
3. put the cursor on the word "Browse" <ENTER>
4. select any file to which you have read access for uploading
5. put cursor on "Submit" <ENTER>
6. observe the full path of the file is sent to the server.=C2=A0 this is =C2=A0 =C2=A0visible in both the python output and the socat output.

i'm including the diff inline to make it easier to review without
downloading the attached file.

---
=C2=A0lisp/net/eww.el | 2 +-
=C2=A01 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/net/eww.el b/lisp/net/eww.el
index 4ddda216afc..f28273dcc58 100644
--- a/lisp/net/eww.el
+++ b/lisp/net/eww.el
@@ -1849,7 +1849,7 @@ eww-submit
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(insert-file-contents f= ile)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(buffer-string)))
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0(cons "name" name)
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 (cons "filename" file))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 (cons "filename" (file-name-nondirectory file))= )
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0values)))
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0((equal (plist-get input :type) &q= uot;submit")
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ;; We want the values from button= s if we hit a button if
--
2.39.2




In GNU Emacs 29.1 (build 2, x86_64-pc-linux-gnu, GTK+ Version 3.24.20,
=C2=A0cairo version 1.16.0) of 2023-08-03 built on bos03-amd64-031
Repository revision: cf57ec68c2a5ac5b721f445928869ca14232a4d1
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.1= 2101007
System Description: Ubuntu 23.04

Configured using:
=C2=A0'configure --prefix=3D/snap/emacs/current/usr --with-x-toolkit=3D= gtk3
=C2=A0--without-xaw3d --with-modules --with-cairo
=C2=A0--with-native-compilation=3Daot --with-xinput2 --with-tree-sitter
=C2=A0--with-json
=C2=A0'CFLAGS=3D-isystem/build/emacs/parts/emacs/install/usr/include =C2=A0-isystem/build/emacs/parts/emacs/install/usr/include/x86_64-linux-gnu=
=C2=A0-isystem/build/emacs/stage/usr/include -O2'
=C2=A0'CPPFLAGS=3D-isystem/build/emacs/parts/emacs/install/usr/include<= br> =C2=A0-isystem/build/emacs/parts/emacs/install/usr/include/x86_64-linux-gnu=
=C2=A0-isystem/build/emacs/stage/usr/include'
=C2=A0'LDFLAGS=3D-L/build/emacs/parts/emacs/install/lib
=C2=A0-L/build/emacs/parts/emacs/install/usr/lib
=C2=A0-L/build/emacs/parts/emacs/install/lib/x86_64-linux-gnu
=C2=A0-L/build/emacs/parts/emacs/install/usr/lib/x86_64-linux-gnu
=C2=A0-L/build/emacs/stage/usr/lib''


--000000000000da1404060b882ce4-- From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 05 09:34:58 2024 Received: (at 65973) by debbugs.gnu.org; 5 Nov 2024 14:34:59 +0000 Received: from localhost ([127.0.0.1]:43996 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8Ke2-00016o-0V for submit@debbugs.gnu.org; Tue, 05 Nov 2024 09:34:58 -0500 Received: from fout-a2-smtp.messagingengine.com ([103.168.172.145]:41629) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8Kdx-00016i-VD for 65973@debbugs.gnu.org; Tue, 05 Nov 2024 09:34:56 -0500 Received: from phl-compute-03.internal (phl-compute-03.phl.internal [10.202.2.43]) by mailfout.phl.internal (Postfix) with ESMTP id CC2EF138039B; Tue, 5 Nov 2024 09:34:47 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-03.internal (MEProxy); Tue, 05 Nov 2024 09:34:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sebasmonia.com; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm3; t=1730817287; x=1730903687; bh=XVpQolgYmaeYIfLaAwwGyJtJbBl88RGp 4N/MqXh5D18=; b=V1IF4HA+n720qW3zwMmjNavZOZLviCxklu0I/BHU7DfoLeEV ynRW9ICdfCCa63GstGmYXttYAl7knHSpvm9kyPlw+Og4cn4fVcpZc2dfWzGygviV rHnN+wHZDzeBJVA28NxdlA78CBBVOvpH2EES2LneNh3KYv0rt9VLwHB0gCmcAFqp TVy0j/rAFb8lxJ5Ad7ajPRyJ3m+Zpf+X+Qq5LkZZt50IbAHgA7ksoHYKuf1yu1RF 4a5iFw/I1kA0S9tqRXBH5EFrjuJI8Zg3+iYFbPTBu/tOkKQQ+zZLNLt0fV6579fX dTZ1IXGqQtqQiXfoOan8fnrOx0JXWxlCMfOLLQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1730817287; x= 1730903687; bh=XVpQolgYmaeYIfLaAwwGyJtJbBl88RGp4N/MqXh5D18=; b=E /ZusD7b0GweePb9r0W6f/bxNdN7ahQ87SrmgnMVZ2iUqXGu1/ZvPq9kNZK8z40uP ko3qzl4AhNJlHOh8zCpc/uh6fZDp0rjoag58WCaCUDtm1Jve46iIx6rqeEEOne4r zZzncX9FLE7SIU4QRj7LxSKFzcv8kzDwLKR4SWsnvi8q5Sr0a7CMl/12O9tWKQO4 Lc7tV7xx4otYadu7BEer9PhDdy+pyY6NXUunErzie9iVR79Cqy1cdOcNOSDaxA5U Z5xIip9+fCGEsUj7sL76MV4TcSpEGyvrShLwb4urQ1UQLWBn9nbWkdQT/+kxKaBf JMVyc30tvMqlqVOI+NB/A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrtddtgdefjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvvefujg hffffkfgggtgfgsehtqhertddtreejnecuhfhrohhmpefuvggsrghsthhijohnucfoohhn vogruceoshgvsggrshhtihgrnhesshgvsggrshhmohhnihgrrdgtohhmqeenucggtffrrg htthgvrhhnpedtiedtuddtfeehjedugeduuedvgedtvdfgieeuleeihfffkeehtdelffek feduudenucffohhmrghinhepshhrrdhhthdpshgvrhhvvghrrdhphidpshgvsggrshhmoh hnihgrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhf rhhomhepshgvsggrshhtihgrnhesshgvsggrshhmohhnihgrrdgtohhmpdhnsggprhgtph htthhopeegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeeiheeljeefseguvggs sghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepohiiiihlohihsegthhgrlhhlvghngh gvqdgsohhtrdgtohhmpdhrtghpthhtohepjhhpohhrthgvrhgsuhhgshesghhmrghilhdr tghomhdprhgtphhtthhopehoiiiilhhohiesghhmrghilhdrtghomh X-ME-Proxy: Feedback-ID: iab2c46da:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 5 Nov 2024 09:34:47 -0500 (EST) From: =?iso-8859-1?Q?Sebasti=E1n_Mon=EDa?= To: ozzloy , Jim Porter Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit In-Reply-To: (ozzloy@gmail.com's message of "Sat, 2 Dec 2023 07:02:20 -0800") References: Date: Tue, 05 Nov 2024 09:34:46 -0500 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 65973 Cc: daniel watson , 65973@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) /added Jim for visibility/ This seems like something simple enough to merge. Thoughts? ozzloy writes: > bump > > On Wed, Sep 13, 2023 at 11:10=E2=80=AFPM daniel watson wrote: > > 0. in one terminal, run this http server > https://git.sr.ht/~ozzloy/emacs-bug-63941/tree/master/item/server.py > 1. in another terminal, run > socat -v tcp-listen:8086,fork tcp:localhost:8085 > 2. browse to the page with EWW, > M-x eww localhost:8086 > 3. put the cursor on the word "Browse" > 4. select any file to which you have read access for uploading > 5. put cursor on "Submit" > 6. observe the full path of the file is sent to the server. this is > visible in both the python output and the socat output. > > i'm including the diff inline to make it easier to review without > downloading the attached file. > > --- > lisp/net/eww.el | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lisp/net/eww.el b/lisp/net/eww.el > index 4ddda216afc..f28273dcc58 100644 > --- a/lisp/net/eww.el > +++ b/lisp/net/eww.el > @@ -1849,7 +1849,7 @@ eww-submit > (insert-file-contents file) > (buffer-string))) > (cons "name" name) > - (cons "filename" file)) > + (cons "filename" (file-name-nondirectory file= ))) > values))) > ((equal (plist-get input :type) "submit") > ;; We want the values from buttons if we hit a button if > --=20 > 2.39.2 > > In GNU Emacs 29.1 (build 2, x86_64-pc-linux-gnu, GTK+ Version 3.24.20, > cairo version 1.16.0) of 2023-08-03 built on bos03-amd64-031 > Repository revision: cf57ec68c2a5ac5b721f445928869ca14232a4d1 > Repository branch: master > Windowing system distributor 'The X.Org Foundation', version 11.0.121010= 07 > System Description: Ubuntu 23.04 > > Configured using: > 'configure --prefix=3D/snap/emacs/current/usr --with-x-toolkit=3Dgtk3 > --without-xaw3d --with-modules --with-cairo > --with-native-compilation=3Daot --with-xinput2 --with-tree-sitter > --with-json > 'CFLAGS=3D-isystem/build/emacs/parts/emacs/install/usr/include > -isystem/build/emacs/parts/emacs/install/usr/include/x86_64-linux-gnu > -isystem/build/emacs/stage/usr/include -O2' > 'CPPFLAGS=3D-isystem/build/emacs/parts/emacs/install/usr/include > -isystem/build/emacs/parts/emacs/install/usr/include/x86_64-linux-gnu > -isystem/build/emacs/stage/usr/include' > 'LDFLAGS=3D-L/build/emacs/parts/emacs/install/lib > -L/build/emacs/parts/emacs/install/usr/lib > -L/build/emacs/parts/emacs/install/lib/x86_64-linux-gnu > -L/build/emacs/parts/emacs/install/usr/lib/x86_64-linux-gnu > -L/build/emacs/stage/usr/lib'' > --=20 Sebasti=C3=A1n Mon=C3=ADa https://site.sebasmonia.com/ From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 05 12:08:15 2024 Received: (at 65973) by debbugs.gnu.org; 5 Nov 2024 17:08:15 +0000 Received: from localhost ([127.0.0.1]:44679 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8N2M-0005ak-T9 for submit@debbugs.gnu.org; Tue, 05 Nov 2024 12:08:15 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46376) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8N2J-0005ae-GC for 65973@debbugs.gnu.org; Tue, 05 Nov 2024 12:08:13 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t8N2E-0006jC-0h; Tue, 05 Nov 2024 12:08:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From: Date; bh=HC9W7KmGLZqDQ3IXrm/MluNM0B/maLDSOMZoLrBP9zw=; b=mrXQl7ufF5ZGfM6BTem3 BaphPBL8FER7ZtGrJYmBvsMJaX9uul86vKam0tz4A7VSPq26+193i7iE3sjFeFnG13N4+TfHFdwpr 4NgZX/NQHzmf/xnZ7RBZGtWlkZ1s6TPXJbgkMSH3yXzneXlvkutDyMYOxXjJFfvZrqdAg8HMTLBV0 pqymQkH9H5ajqfUfJeBxxfd1hOpsl/ZfjBsT7zHZuG066RKMLuustihLITwLTmySagtqYEnHY35zX eAbDo63ujT+azTbvn8MvcxxuzGNGe/xQ3bVTjjqI6xmqnaPPhqYDizvG2xnmRwtiYicOOQiU9fopa 3kb1BkVB0LJWSA==; Date: Tue, 05 Nov 2024 19:08:02 +0200 Message-Id: <86bjyttxql.fsf@gnu.org> From: Eli Zaretskii To: =?utf-8?Q?Sebasti=C3=A1n_Mon=C3=ADa?= In-Reply-To: (sebastian@sebasmonia.com) Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit References: MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 65973 Cc: jporterbugs@gmail.com, ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Cc: daniel watson , 65973@debbugs.gnu.org > From: Sebastián Monía > > Date: Tue, 05 Nov 2024 09:34:46 -0500 > > > /added Jim for visibility/ > > This seems like something simple enough to merge. > Thoughts? > > ozzloy writes: > > bump > > > > On Wed, Sep 13, 2023 at 11:10 PM daniel watson wrote: > > > > 0. in one terminal, run this http server > > https://git.sr.ht/~ozzloy/emacs-bug-63941/tree/master/item/server.py > > 1. in another terminal, run > > socat -v tcp-listen:8086,fork tcp:localhost:8085 > > 2. browse to the page with EWW, > > M-x eww localhost:8086 > > 3. put the cursor on the word "Browse" > > 4. select any file to which you have read access for uploading > > 5. put cursor on "Submit" > > 6. observe the full path of the file is sent to the server. this is > > visible in both the python output and the socat output. > > > > i'm including the diff inline to make it easier to review without > > downloading the attached file. I'd like some rationale for this change. The original report never explains why sending the full absolute file name to the server is bad. Please note that using file names without directories in Emacs means that the file is presumed to live in the current-buffer's default-directory. I'm not sure I understand why this is correct in this case, and neither am I sure that the server will interpret it like that (because the server might run in a different directory). But maybe I'm missing something important here. Thanks. From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 05 14:37:37 2024 Received: (at 65973) by debbugs.gnu.org; 5 Nov 2024 19:37:37 +0000 Received: from localhost ([127.0.0.1]:37997 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8PMu-0002ua-Rg for submit@debbugs.gnu.org; Tue, 05 Nov 2024 14:37:37 -0500 Received: from mail-pg1-f170.google.com ([209.85.215.170]:42179) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8PMs-0002uN-I9 for 65973@debbugs.gnu.org; Tue, 05 Nov 2024 14:37:36 -0500 Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-7ea7ad1e01fso122679a12.0 for <65973@debbugs.gnu.org>; Tue, 05 Nov 2024 11:37:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1730835388; x=1731440188; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=9Z94Vc0snWrJMcdvKtJ3SqRXcL43Cipk41wRlezvTeo=; b=ER7F7wYFHAnTD86hE1CgHflkn7N9aqc5dQX8gJJWXiW/6El89lonP1DgCUEi2GBm96 JjIvUjIWZmLqjHoJGbcww5UX+fUOh6gr/G7K4HjDblzdE5mG4yMPB0FS+PXTUJK8PISh NG8JjtsL0AgvQnMbzZegjlnVFvmPE/FnqUiD0mZTcS56ABO07ivnqGP5xSMSKAyKb5Hf SOvC4ihtohugy7o+ajFY1Q66W9dU3AGMpEg+ryq+WeZ3G3snJ2nZ7f8B5ZXmSTRFM4lQ ug2VMPq987TEpGGdDoRK3LNe/5XvJOjaWQi5MijLIJNm7XzSJKtFTulHjj9VVL0d6TVC fZhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730835388; x=1731440188; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9Z94Vc0snWrJMcdvKtJ3SqRXcL43Cipk41wRlezvTeo=; b=YDyLGp5YWIknDenjPLJXLz4ZTUSCgTiiKR/YGODtxiVLpO1S2+Dimtq4ERJUJ1TbtA VwrxCNyLhk6TQujIheItkz5DXSAJZaCzZOrdQm43akN2Ae3kLaI000P9fdGaDGwZVXWW hazFLH8OcsK4WovyP27ipydPM9d6alDQ9tGtt7KDzLztRxAt88IUp0KxIPCG5ZNVVLno FBhIP04gPRpgDm0OTKNA+sSTKKju2NFzQfTp1ZPwczug4pYCvBKvLo6GM1lMJD6ua1ZY C0v086h06uamJgyHvkaIMsqffY1LVv2sEBOZOPMgiZKZIdmsTr3+8Pzw7fao9S7yZE0i 7eJg== X-Forwarded-Encrypted: i=1; AJvYcCW93fo/tgHss37T5apYM8yToVcMQr2DjSBT+M12iaUORK/hXfm2CfXbtz7itOnHicQhR+L+yg==@debbugs.gnu.org X-Gm-Message-State: AOJu0YwZYqK5wjRGvx5yPW1v7TIDYvTJ+iKTf0Q1A6gwBzqF1PSbgogU m/T47JmNaD/d2mJKsLUhy33htPcCjezeIPlGkI3AcJ5EwilxBBtn X-Google-Smtp-Source: AGHT+IFr4X1GoAFV0il1ueiRhBARWjFOhPUu0J+50xJ9zcMXRld7rXCaBrDU8JfzYoSiBasEAU7p0w== X-Received: by 2002:a17:90b:1b44:b0:2e0:7e80:2011 with SMTP id 98e67ed59e1d1-2e94c21cd58mr27726915a91.16.1730835386922; Tue, 05 Nov 2024 11:36:26 -0800 (PST) Received: from [192.168.1.2] (syn-023-240-098-037.res.spectrum.com. [23.240.98.37]) by smtp.googlemail.com with ESMTPSA id 98e67ed59e1d1-2e92fa26a38sm12351187a91.22.2024.11.05.11.36.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 Nov 2024 11:36:26 -0800 (PST) Message-ID: <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> Date: Tue, 5 Nov 2024 11:36:25 -0800 MIME-Version: 1.0 Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit Content-Language: en-US To: Eli Zaretskii , =?UTF-8?B?U2ViYXN0acOhbiBNb27DrWE=?= References: <86bjyttxql.fsf@gnu.org> From: Jim Porter In-Reply-To: <86bjyttxql.fsf@gnu.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 65973 Cc: ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On 11/5/2024 9:08 AM, Eli Zaretskii wrote: >> Cc: daniel watson , 65973@debbugs.gnu.org >> From: Sebastián Monía >> >> Date: Tue, 05 Nov 2024 09:34:46 -0500 >> >> >> /added Jim for visibility/ >> >> This seems like something simple enough to merge. >> Thoughts? >> >> ozzloy writes: >>> bump >>> >>> On Wed, Sep 13, 2023 at 11:10 PM daniel watson wrote: >>> >>> 0. in one terminal, run this http server >>> https://git.sr.ht/~ozzloy/emacs-bug-63941/tree/master/item/server.py >>> 1. in another terminal, run >>> socat -v tcp-listen:8086,fork tcp:localhost:8085 >>> 2. browse to the page with EWW, >>> M-x eww localhost:8086 >>> 3. put the cursor on the word "Browse" >>> 4. select any file to which you have read access for uploading >>> 5. put cursor on "Submit" >>> 6. observe the full path of the file is sent to the server. this is >>> visible in both the python output and the socat output. >>> >>> i'm including the diff inline to make it easier to review without >>> downloading the attached file. > > I'd like some rationale for this change. The original report never > explains why sending the full absolute file name to the server is bad. I see three possible reasons: 1) there could be (probably minor) privacy issues with sending the directory structure along to a server; 2) as far as I'm aware, other browsers only pass the "leaf" of the filename; 3) RFC 2813 says that *recipients* should ignore any directories: The receiving MUA SHOULD NOT respect any directory path information that may seem to be present in the filename parameter. The filename should be treated as a terminal component only. Portable specification of directory paths might possibly be done in the future via a separate Content-Disposition parameter, but no provision is made for it in this draft. RFC 2813 is primarily about mail clients, but MDN suggests following it in a web context as well: . So I think the RFC would suggest that it's *allowed* to send the directories in the "filename" field, but since the server is supposed to ignore it, there's no benefit to doing so. From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 05 22:30:09 2024 Received: (at 65973) by debbugs.gnu.org; 6 Nov 2024 03:30:09 +0000 Received: from localhost ([127.0.0.1]:38802 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8WkD-0006gX-4F for submit@debbugs.gnu.org; Tue, 05 Nov 2024 22:30:09 -0500 Received: from fhigh-a5-smtp.messagingengine.com ([103.168.172.156]:52669) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8WkA-0006bs-W3 for 65973@debbugs.gnu.org; Tue, 05 Nov 2024 22:30:08 -0500 Received: from phl-compute-08.internal (phl-compute-08.phl.internal [10.202.2.48]) by mailfhigh.phl.internal (Postfix) with ESMTP id E4CC9114015A; Tue, 5 Nov 2024 22:30:01 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-08.internal (MEProxy); Tue, 05 Nov 2024 22:30:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sebasmonia.com; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm3; t=1730863801; x=1730950201; bh=WWY70pN6njsmfnom4L0U+cfbagH81GWk OyEIoO7MiaA=; b=LPBs1JgjqB8pDRz8L7kxj+jvM2cvNal3iINx13rRyfkpuM+0 /D/RAG6B+xr7a43AeppWboZntikzdAAvgExvMFeB42PtcNmlBEu5wPppUnGxcU2q nIuixKDyCsNj6xVERbbH2e8YWcYGkr0vHLN58UZRQaxX0IStWJJlmme+tthviRNm RsefO0AcVtHevVz4WZvI/IQIu6VC38xdaohp/GRYFBVCSm4giMtQvi7IkeZbVkRO /P3XzGTSs6Fd+XGrXbCjv/jlRnzX3BZ848cSt+f7pQsZzHs14lD3AzBIrWDjNEqP kk5oTcQm1L7d4WQZMMHvit6KaNPWLXigvXLeFw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1730863801; x= 1730950201; bh=WWY70pN6njsmfnom4L0U+cfbagH81GWkOyEIoO7MiaA=; b=B b/M6cnPqvLDY5itrByBFyIpgmKlX5jZ8CK4WreC2KkQkgSm2sWTnDzWknWBqmfBy cRVIZDx/Yf9f6HfIAPL+mQfNNTsIF6R9ZgNW5Leb9UTXdDJBmgCX5ukLnMLrBH+s jEl1keJT+nM68vS3q9mbBNDRKpRYXjAngRpQVH5FPHdfNPSUkfev3kThdQf66a70 1yoseMeRpX66uZ/WFmcEPIHQ8E2vH8+fVA2nWlXSzTz6FezUwdQU4MlMHBsUPjEP bYt5ggcdddZkA7c0rMpMwDmN3TRFt0fqiufeJc0p+CRRNq3Qlxz/vtS6mTkm7CYA SJplphfsCUY+QCWJhdBxw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrtddugdeitdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpefhvfevufgjfhffkfgfgggtgfesthhqredttderjeen ucfhrhhomhepufgvsggrshhtihojnhcuofhonhovrgcuoehsvggsrghsthhirghnsehsvg gsrghsmhhonhhirgdrtghomheqnecuggftrfgrthhtvghrnheplefhtdfgfeegudejveek hfffjefhfeefleeuhfelueehiefhtdffhfdufeeltdefnecuffhomhgrihhnpehmohiiih hllhgrrdhorhhgpdhsvggsrghsmhhonhhirgdrtghomhenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsvggsrghsthhirghnsehsvggsrghsmh honhhirgdrtghomhdpnhgspghrtghpthhtohephedpmhhouggvpehsmhhtphhouhhtpdhr tghpthhtohepohiiiihlohihsehgmhgrihhlrdgtohhmpdhrtghpthhtohepieehleejfe esuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopehoiiiilhhohiestghhrghl lhgvnhhgvgdqsghothdrtghomhdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprh gtphhtthhopehjphhorhhtvghrsghughhssehgmhgrihhlrdgtohhm X-ME-Proxy: Feedback-ID: iab2c46da:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 5 Nov 2024 22:30:01 -0500 (EST) From: =?utf-8?Q?Sebasti=C3=A1n_Mon=C3=ADa?= To: Jim Porter Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit In-Reply-To: <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> (Jim Porter's message of "Tue, 5 Nov 2024 11:36:25 -0800") References: <86bjyttxql.fsf@gnu.org> <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> Date: Tue, 05 Nov 2024 22:30:01 -0500 Message-ID: <87y11x11l2.fsf@sebasmonia.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 65973 Cc: Eli Zaretskii , ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Jim Porter writes: > On 11/5/2024 9:08 AM, Eli Zaretskii wrote: >> I'd like some rationale for this change. The original report never >> explains why sending the full absolute file name to the server is bad. > > I see three possible reasons: 1) there could be (probably minor) > privacy issues with sending the directory structure along to a server; > 2) as far as I'm aware, other browsers only pass the "leaf" of the > filename; 3) RFC 2813 says that *recipients* should ignore any > directories: [...] > RFC 2813 is primarily about mail clients, but MDN suggests following > it in a web context as well: > . > So I think the RFC would suggest that it's *allowed* to send the > directories in the "filename" field, but since the server is supposed > to ignore it, there's no benefit to doing so. I didn't get as far as Jim did. I assumed the concern was #1, and I knew the rest of the path is ignored, so figured we should go ahead. Regards, Seb --=20 Sebasti=C3=A1n Mon=C3=ADa https://site.sebasmonia.com/ From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 06 12:32:05 2024 Received: (at 65973) by debbugs.gnu.org; 6 Nov 2024 17:32:05 +0000 Received: from localhost ([127.0.0.1]:45342 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8jsx-000308-7X for submit@debbugs.gnu.org; Wed, 06 Nov 2024 12:32:05 -0500 Received: from mailserver.each.do ([208.85.243.232]:37810) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8iEV-0006Ya-Ac for 65973@debbugs.gnu.org; Wed, 06 Nov 2024 10:46:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=each.do; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: In-reply-to:Date:Subject:Cc:To:From:References:From; bh=Zm3v8fZWgah2eQH/3ypy1Y8DX++H7LO12VBa42LaB+0=; b=pEE2pZk29Uqi4RYYWZC1p6ijVg hTCaQAbPQWLcv4TiTMbeiHMjy+uIWeRf3i9v4+Deylz+8Q8Jvx10TBr25u7yC2NPr9bhQGfq2w6wP H8exoCZAm++mhziK6hSh4rT2amfz6oPtbq9par9VhDKLAi1OZcRCUEXO+K0ML/s0L81BgMqrc55P3 0LZapXN9r4Vg25Q0R52cC013F35D+MSrYk2RHX/ajY48uJr3Fsa3p0j2dPlW06uiTyHA9m6Rx+qnW yLLk7o6qE6XvA3ikbum89vTGPrHA46yK6GyVYQ+ItrsXBhCXqdioDx09/QugYUKm0/hlSezktEdXA U3Blcu/Q==; Received: from [2601:646:a100:592d:a1e3:d0e7:865c:9ae6] (helo=trent-reznor) by mailserver.each.do with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1t8iCN-00935E-9Y; Wed, 06 Nov 2024 07:43:59 -0800 References: <86bjyttxql.fsf@gnu.org> <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> <87y11x11l2.fsf@sebasmonia.com> User-agent: mu4e 1.10.8; emacs 29.3 From: daniel watson To: =?utf-8?Q?Sebasti=C3=A1n_Mon=C3=ADa?= Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit Date: Wed, 06 Nov 2024 07:34:48 -0800 In-reply-to: <87y11x11l2.fsf@sebasmonia.com> Message-ID: <87zfmciczm.fsf@trent-reznor> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 65973 X-Mailman-Approved-At: Wed, 06 Nov 2024 12:32:01 -0500 Cc: Jim Porter , Eli Zaretskii , 65973@debbugs.gnu.org, ozzloy@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) the rationale was initially #1. every other browser i looked into sent the filename only. based on that, i was more confident that it was worth submitting a patch. #3 seems like a good reason too, but i did not know about that until reading this thread. Sebasti=C3=A1n Mon=C3=ADa writes: > Jim Porter writes: >> On 11/5/2024 9:08 AM, Eli Zaretskii wrote: >>> I'd like some rationale for this change. The original report never >>> explains why sending the full absolute file name to the server is bad. >> >> I see three possible reasons: 1) there could be (probably minor) >> privacy issues with sending the directory structure along to a server; >> 2) as far as I'm aware, other browsers only pass the "leaf" of the >> filename; 3) RFC 2813 says that *recipients* should ignore any >> directories: [...] >> RFC 2813 is primarily about mail clients, but MDN suggests following >> it in a web context as well: >> . > >> So I think the RFC would suggest that it's *allowed* to send the >> directories in the "filename" field, but since the server is supposed >> to ignore it, there's no benefit to doing so. > > I didn't get as far as Jim did. I assumed the concern was #1, and I knew > the rest of the path is ignored, so figured we should go ahead. > > Regards, > Seb From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 06 18:32:06 2024 Received: (at 65973) by debbugs.gnu.org; 6 Nov 2024 23:32:06 +0000 Received: from localhost ([127.0.0.1]:46432 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8pVO-0005BA-8y for submit@debbugs.gnu.org; Wed, 06 Nov 2024 18:32:06 -0500 Received: from mail-ed1-f53.google.com ([209.85.208.53]:42382) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8pVJ-0005Ad-IC for 65973@debbugs.gnu.org; Wed, 06 Nov 2024 18:32:04 -0500 Received: by mail-ed1-f53.google.com with SMTP id 4fb4d7f45d1cf-5c937b5169cso698171a12.1 for <65973@debbugs.gnu.org>; Wed, 06 Nov 2024 15:32:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1730935856; x=1731540656; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=vybhEzPwR+p7O8lMQ/hczYTUCpiXhRp1bqUsWPXtr44=; b=cBJceItR/Zy8Qh9Rvclt1n07xhNFD5UAa3UjPzTIecq6GObHvtoJ9A27GxhSZprG5n i8FGm0fQ6Q4QdHfcs+K5Qt4igRovZ2hLF29m74UWN9lEkJ6DbmiqK5PaLdM8B6oNXFSv 0u5V4emuOdU61NwPQdUsoGQIpydiVkAzqOpjsBo7RAFt2Vk8Ke3Gx8tKAY7SlklR3wGd /uZQcvVsXAKda8t+tjsePZEwiJVOZBEpTRV2pkAWmIjIIoaInpHRkymtynRMWzlbjBOv H8bqsMBE+wLqWMY73kP23evm+0KrpgvZsrVwlJbFHFD5mZCZXie8clJeuN2131Zp4Al/ iJgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730935856; x=1731540656; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vybhEzPwR+p7O8lMQ/hczYTUCpiXhRp1bqUsWPXtr44=; b=qaS3DcFbGOYjZIGNuvhJGJcSM/Ac0tlq8CsBgFN5ieF6zIyhgIngCpBJ7hsdf0bkFM lQQHv9IyKaiTJS518nbU/wZaKh1dQeTUbkyg+WA/XPzW8Q7h9bEcrPsahVVdqS2tz1pd TeIJzkfCv/ugN6Hety47iEJEIXH82rb6HcfE6jOhuvghQd7JrTa4skhyYX7isQMRUw6x 4nIKMmEtCH5EohbNXt9kdNUkIWU9VBeTofpwPbobgGovtpXkHPPR5mSZZ64NdrmuD1qR 3RL7mVp936DTy2ZinznaBFcM9Kpo5iXnfmrFuzCYRKNekNgc9s+myyISQBJ5JiFx+mhv JdvQ== X-Forwarded-Encrypted: i=1; AJvYcCXFEyMIltKCM51S8ws70G3jVyAsrzQkyMYq2SyNsxYcjVfHGRQQdmbTk9xZE+jjr6bMDkrqpg==@debbugs.gnu.org X-Gm-Message-State: AOJu0YwSr0kYXll/9sdDxHhBw3aluaHfmSPlq7KW4rSJYjsjmQzlmLmG 8S6MQGChltGDvYiOUKiYnt6zy7Uk7taULFAh0rNGYuA3zfCIW3ycI1a8gmwGDVZSyLMjDzxKfI9 ivSsBBYLW+gR2oRwCvcxCb8HnHYA= X-Google-Smtp-Source: AGHT+IE/kA8dRik3NiTVJ5ar9ZhvWI3cp9+6F4xjU3/H85X2f3ln9mhmvczqLCo57qQ1dIC6Wif3HvWLBxjBDCMUeNE= X-Received: by 2002:a05:6402:13d1:b0:5c9:66c:660e with SMTP id 4fb4d7f45d1cf-5cefc6b549amr932344a12.13.1730935855453; Wed, 06 Nov 2024 15:30:55 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Wed, 6 Nov 2024 23:30:54 +0000 From: Stefan Kangas In-Reply-To: <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> References: <86bjyttxql.fsf@gnu.org> <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> MIME-Version: 1.0 Date: Wed, 6 Nov 2024 23:30:54 +0000 Message-ID: Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit To: Jim Porter , Eli Zaretskii , =?UTF-8?B?U2ViYXN0acOhbiBNb27DrWE=?= Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 65973 Cc: ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Jim Porter writes: > On 11/5/2024 9:08 AM, Eli Zaretskii wrote: > >> I'd like some rationale for this change. The original report never >> explains why sending the full absolute file name to the server is bad. > > I see three possible reasons: 1) there could be (probably minor) privacy > issues with sending the directory structure along to a server; >From a privacy perspective, I don't think this we can really consider this as a minor issue. Users commonly use their full names, or another similarly unique identifier, as their login name. It goes without saying, that sending a string such as "/home/myfullname/some/file" to a remote host completely defeats all notions of preserving user privacy. From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 07 01:20:54 2024 Received: (at 65973) by debbugs.gnu.org; 7 Nov 2024 06:20:54 +0000 Received: from localhost ([127.0.0.1]:46925 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8vsz-0005r4-OE for submit@debbugs.gnu.org; Thu, 07 Nov 2024 01:20:54 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60662) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t8vsw-0005qp-LC for 65973@debbugs.gnu.org; Thu, 07 Nov 2024 01:20:52 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t8vsq-0006Jt-Lx; Thu, 07 Nov 2024 01:20:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=d8ro+BMqjh9+jWrKOGC/skj+l5p3cYz1wN30madffqk=; b=HUfZe1UDkPGe JQJkbCma+DyKMNduVH/47Aj1wVBd1ZJC5NqRuppM43aZRbBZM4F2+CgSGrN2oULzwf//SuQebzHvu g65DsOvLYPoLmyRGqmA6Ge8DkIlrWgIQNAAV8RAvZ71SCipnESrQz874Qh1vmt1Ga9ECpMYzTdsyG 7E9w7cti1Y6my2+bfI4PIDX5eZ3t/NU635YworoPMaNTAKpllE4USGKEqdrUWrHeIVOh4DNZ+s2uD WZ72k932Wy03s7m3UWbY9JcaCx9CB0pkgKgvn5wQNykbKO2EnyopYi89+y7Y9X/Tc6N0YzzDe8DGK XaJhjIk1ZBrMI9oxsXhrsA==; Date: Thu, 07 Nov 2024 08:20:41 +0200 Message-Id: <86ttcjr2di.fsf@gnu.org> From: Eli Zaretskii To: Stefan Kangas In-Reply-To: (message from Stefan Kangas on Wed, 6 Nov 2024 23:30:54 +0000) Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit References: <86bjyttxql.fsf@gnu.org> <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 65973 Cc: jporterbugs@gmail.com, ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com, sebastian@sebasmonia.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Stefan Kangas > Date: Wed, 6 Nov 2024 23:30:54 +0000 > Cc: ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com > > Jim Porter writes: > > > On 11/5/2024 9:08 AM, Eli Zaretskii wrote: > > > >> I'd like some rationale for this change. The original report never > >> explains why sending the full absolute file name to the server is bad. > > > > I see three possible reasons: 1) there could be (probably minor) privacy > > issues with sending the directory structure along to a server; > > >From a privacy perspective, I don't think this we can really consider > this as a minor issue. > > Users commonly use their full names, or another similarly unique > identifier, as their login name. It goes without saying, that sending a > string such as "/home/myfullname/some/file" to a remote host completely > defeats all notions of preserving user privacy. The private information can be in the file name you send as well, so this is not a convincing argument. But since the RFC says to ignore the leading directories, I think the change is okay, provided we describe the rationale in the comments to the code. It is very unusual thing in Emacs to remove leading directories from a file name, so doing so generally begs for some commentary. From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 07 13:54:01 2024 Received: (at 65973) by debbugs.gnu.org; 7 Nov 2024 18:54:01 +0000 Received: from localhost ([127.0.0.1]:49579 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t97do-0006DG-UA for submit@debbugs.gnu.org; Thu, 07 Nov 2024 13:54:01 -0500 Received: from mail-pl1-f169.google.com ([209.85.214.169]:58792) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t97dm-0006D2-UI for 65973@debbugs.gnu.org; Thu, 07 Nov 2024 13:53:59 -0500 Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-20c9978a221so14616095ad.1 for <65973@debbugs.gnu.org>; Thu, 07 Nov 2024 10:53:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731005573; x=1731610373; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=aQImUWArqUjphLyndIIDKLn506FcO4eyRozVpwq04JU=; b=c+siKk6HLf5N9mtt2UaogJEdVQWRitTRafcKOy4BwcBYrMOf9krYlcBKp2q3wYCGtD 1CxsYfIRDJZh25wVDEYxU0hjIUtO3J7m9l37WZj7sXjYncUH5j0PZa9xDdlZPsVeFfFb 6BntrTZCVCoDzmh1A9Rvh9xbSkx9h49U35NNTwy4klH+MMqHB2iMmafYWTqZjoRCK9nl s7nc/oQaJwm6xChCjQf+bb6Y1cuUNHiIP1Ubf/8Fbf8I7XLs92Lvu+guTy2GgIAwfAOg RHjGzktLsZySZU3RTln/DguUChoW7RLd3Wg0U3wKdTN9aDFP17VAolWoF+IC9jMSuSZP 850w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731005573; x=1731610373; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aQImUWArqUjphLyndIIDKLn506FcO4eyRozVpwq04JU=; b=ub31J1SlowYh7mnR3hhP3uaw6/in30z/86Brgev4em/EEwp3HMqr0rPWSm2HDSoerA nEG4BSO1IRPjsJgKV10VQ+B62ErWLZbOCH4oUoxdy1VQxBwaBUo0eBHCNvxiEolEohGb P95O0eYejh3cCJFuNi23b3/Po0/n4eeOcOAgh1wfl0TQL7Go46LBzxihrDEYiUf3gkzL +2FM6AcOoNqADbEKvPdM3SgLbu/iM8ryvYyyu4HE2GCJO3qAo+VNTukXgHJs4BBiaXPy RXZZvr+lB4GiTSKlDcmmH5N8tFRFEPnnIbWwETKknEky2d16nWhmKPuyHrA/uyJW2bgs qyKA== X-Forwarded-Encrypted: i=1; AJvYcCX7Z6bu3zBTfueDFMHzrtJLDLKZNkDNKbh3QkgbprMwep9AaKETGgEVNKeJK15CKJ1GYkhL8w==@debbugs.gnu.org X-Gm-Message-State: AOJu0YxpB/fyU0KERVFzDPB1nnV3Y5MDYT5vxpuxoIX/NwO+VzafsVIU YkMUYVMhywalBbfLkC66sgmtC2Hg/Rh/vrhkq4dndPJzMsGkH8Wu X-Google-Smtp-Source: AGHT+IEhgSd06a/JaFeLpcECgiEp/9HrQA5FA/tBOEwZAjEMYSQ3jgRd0NKiouEa86974braO4Piww== X-Received: by 2002:a17:903:32c5:b0:20c:5e86:9b68 with SMTP id d9443c01a7336-211822f9e41mr6605865ad.4.1731005573068; Thu, 07 Nov 2024 10:52:53 -0800 (PST) Received: from [192.168.1.2] (syn-023-240-098-037.res.spectrum.com. [23.240.98.37]) by smtp.googlemail.com with ESMTPSA id d9443c01a7336-21177e41884sm15586395ad.119.2024.11.07.10.52.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 Nov 2024 10:52:52 -0800 (PST) Message-ID: <05a30678-02e0-20fa-4f0b-9238f9a9081a@gmail.com> Date: Thu, 7 Nov 2024 10:52:51 -0800 MIME-Version: 1.0 Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit Content-Language: en-US From: Jim Porter To: Eli Zaretskii , =?UTF-8?B?U2ViYXN0acOhbiBNb27DrWE=?= References: <86bjyttxql.fsf@gnu.org> <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> In-Reply-To: <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 65973 Cc: ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On 11/5/2024 11:36 AM, Jim Porter wrote: > I see three possible reasons: 1) there could be (probably minor) privacy > issues with sending the directory structure along to a server; 2) as far > as I'm aware, other browsers only pass the "leaf" of the filename; 3) > RFC 2813 says that *recipients* should ignore any directories: Just in case people get confused here (I did, upon re-reading my message): The correct RFC is 2183, not 2813. From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 07 14:00:02 2024 Received: (at 65973-done) by debbugs.gnu.org; 7 Nov 2024 19:00:02 +0000 Received: from localhost ([127.0.0.1]:49588 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t97jd-0006TK-NU for submit@debbugs.gnu.org; Thu, 07 Nov 2024 14:00:02 -0500 Received: from mail-pf1-f174.google.com ([209.85.210.174]:58594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t97jb-0006So-G8 for 65973-done@debbugs.gnu.org; Thu, 07 Nov 2024 14:00:00 -0500 Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-720c2db824eso1338798b3a.0 for <65973-done@debbugs.gnu.org>; Thu, 07 Nov 2024 10:59:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731005939; x=1731610739; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=zi6zr+3HxVyGRrWb69m3GqN2xsx0OZDCbhks7P852iQ=; b=MYtw3eQUcGQQJHhYEbQWAQDHsXq7fi3zUzgKQrPTe+AbiKwP69K397YhgBmicMMXum R6wzpYVzrMFiKoj00acinqDlHcUEBKh7IIfbME33keXrb0p4BRYM0Lzif6I+w7geihM5 Yj4VtoyBYrvqefQmjZEg2HzFAy4r+i7n4rNqULA11ZK7A9AXrLefeug8WNyT5dg0Qmkf Udzwpd031T2GFlkHWCF9qDQqNR4AeRfo8pIZGpYjSUE533TTyj0EknPBRAGvHx5z/3ed RIa643J32XoIr0UeYmD+BiJKPX8ROkWXMSYAstQX3TIFHvgKLLD0sbxGOV3OqCDz8kr8 sGuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731005939; x=1731610739; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zi6zr+3HxVyGRrWb69m3GqN2xsx0OZDCbhks7P852iQ=; b=mzct6ee2rh7aveFcrHOVsF+U+JIpUL0qcpwauAhwDB200E1pu5/9Z3L3NDAWEluqtP GAiXMvLh45Iji7RSYZL2/jfzb9OH/U6sKmtcFMs0aUV+Bu+rpV9qlvUkdTHmsC3HSPHE W+FkDOamSBrJQxnyN+vIe+BceuoGMlU1v6JAy/JK5StGkDqQagMjS3YRRs9hXpm9xLu/ 9flPKZMpxCRvUjQWBalSCraslOrvTFpRSm7s3uFAB6WOMHFwV2bN5c2tpxUcWC17OKaW /BZGqyxrMC4KMRaNllbOSJ6c3yJN2lz+XTqMmgf+KsX5q72qJFQBhphvNYVlWLP3McT0 IRsg== X-Forwarded-Encrypted: i=1; AJvYcCV2eR+DZGrh8Kn6ED8JCik5BRfCKbL9dHFARzR7XirCMBhAJqOkKGnWLYpR6mWCYCqDUjFu9N7oI/X9@debbugs.gnu.org X-Gm-Message-State: AOJu0Yyz0LndT6DIW7SHS85uHYinDMiR+IMlZ25QwHX1Bwxp1j1IkhCF wuaWgZHZ1hhgneXzwGs4BVs7CfuxLYhPi2zSFD/0Lr7AINU70c0Y X-Google-Smtp-Source: AGHT+IELHHXjU1gKNoOOSms1JizcaTqTAfUAcWu5J802nJ0vcbjqm115mvw7ylQUMkkLBv9yK9I+iw== X-Received: by 2002:a05:6a20:4325:b0:1d6:fb1b:d07a with SMTP id adf61e73a8af0-1dc22b57f1dmr19398637.31.1731005938692; Thu, 07 Nov 2024 10:58:58 -0800 (PST) Received: from [192.168.1.2] (syn-023-240-098-037.res.spectrum.com. [23.240.98.37]) by smtp.googlemail.com with ESMTPSA id 41be03b00d2f7-7f41f65b5afsm1782857a12.76.2024.11.07.10.58.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 Nov 2024 10:58:58 -0800 (PST) Message-ID: Date: Thu, 7 Nov 2024 10:58:57 -0800 MIME-Version: 1.0 Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit Content-Language: en-US To: Eli Zaretskii , Stefan Kangas References: <86bjyttxql.fsf@gnu.org> <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> <86ttcjr2di.fsf@gnu.org> From: Jim Porter In-Reply-To: <86ttcjr2di.fsf@gnu.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 65973-done Cc: sebastian@sebasmonia.com, ozzloy@challenge-bot.com, ozzloy@gmail.com, 65973-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On 11/6/2024 10:20 PM, Eli Zaretskii wrote: > But since the RFC says to ignore the leading directories, I think the > change is okay, provided we describe the rationale in the comments to > the code. It is very unusual thing in Emacs to remove leading > directories from a file name, so doing so generally begs for some > commentary. It sounds like we all agree on doing this for various reasons. I've now merged this to the master branch as f6b55678d76 with some commentary mentioning RFC 2183, so closing this bug. Of course, if the commentary is insufficient or anyone notices any other issues, just let me know. From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 07 20:34:52 2024 Received: (at 65973) by debbugs.gnu.org; 8 Nov 2024 01:34:52 +0000 Received: from localhost ([127.0.0.1]:50427 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t9Dtj-0007ii-4N for submit@debbugs.gnu.org; Thu, 07 Nov 2024 20:34:51 -0500 Received: from mail-ed1-f44.google.com ([209.85.208.44]:49642) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t9Dta-0007iL-Ui for 65973@debbugs.gnu.org; Thu, 07 Nov 2024 20:34:48 -0500 Received: by mail-ed1-f44.google.com with SMTP id 4fb4d7f45d1cf-5cef772621eso1730251a12.3 for <65973@debbugs.gnu.org>; Thu, 07 Nov 2024 17:34:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731029617; x=1731634417; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=aFvnoUSg4PvYGg86wmo4K0+1rC52mCt8owhEiIEp2TU=; b=NXI7nPthY5qo2leKSWFdEAU4z02VfXy6/fZh8/ZO3rI1jV8/G9NA8YubgBimZVKHyk uyCzDSvK6eKXb6gvqVF//+JZKiCR3M0m0kRKNzUtK1NBjCGudbxqT/+w3xfmh1a32Wi4 Gz6xfVbEVk0jg7MYdoEEJL/rbp7lV8dMSkvuVZIQtA0HkOL2Zn85pBFal4Adufi/2j7I z4aPFKAoTwGQOmyrt492BfNeP8B79ZN2LdGQ8wNhg8bl/rqSALeVkyQKzNVBUzjPCwP8 dazR6OmrEkbwdOEfKI+cxYoec8+1yG6bGRQr6HdnR3AElqOV3Np21Ct7qLcwEW7BAzBo +UAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731029617; x=1731634417; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aFvnoUSg4PvYGg86wmo4K0+1rC52mCt8owhEiIEp2TU=; b=qte9GGedW/j+QPbv0P+zqahLqGeuI/lI49PdU/izLP/A9kg01oQ7CQZqS/+mae+4Ny N3YwF/0g+ALY98DGmu5rt/qeEuSXB+mEMk+/lp5WCg+sAAtMjAvxD7PLMMfT7r2Ayw6k WAviuKu7EBxdP2a5ZD0tgwsf0Ur9PBkPD33toygbcKBPht0hzeODMFgoPKEKx6l5FUzS cGLNYXgGlqgz5Av/qA0iM7HkNm8wXjlFpBMBo+/vJ3JJVgyBOwiIBvqngG27xtf3Rllw fSRKRPYNCmI5v/9CNKcbgLRCtMnkWxvttlybXJQLmZu6AHdDi8r6R9lUmZh+c6ZLLdPQ T80w== X-Forwarded-Encrypted: i=1; AJvYcCUkq3HlV2Ey9/kSgBVCXXdg3JBObggv9P5DaSE4t+51thzVPIS8jtL4xCNEnv5dSPd9/QnH7Q==@debbugs.gnu.org X-Gm-Message-State: AOJu0YywaoKvaJTM+vC7ep/5qJ37v7ne/cVhl14CjaI49iJOeixyyVoZ xWc9viS7XdU/MOCVaC8Bo6ULi3jXDtEReLqwLj/xrEdJBZHlYnFDnrMg+lYuIM3kZKB/sRLPbvl LrOcfK3ExIRMVBhNRcV7AfsIC2dQ= X-Google-Smtp-Source: AGHT+IG+1IkCb6nhtrH2RuV82CSQg4l0AwJDJx4EbXEWhCpEKlIkJBio2F4lwIRkJaTJHa3JRmaWIs58zK9pBPcpQdw= X-Received: by 2002:a05:6402:42c6:b0:5ca:1598:195b with SMTP id 4fb4d7f45d1cf-5cf0a45df77mr764735a12.28.1731029616502; Thu, 07 Nov 2024 17:33:36 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 8 Nov 2024 01:33:36 +0000 From: Stefan Kangas In-Reply-To: <86ttcjr2di.fsf@gnu.org> References: <86bjyttxql.fsf@gnu.org> <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com> <86ttcjr2di.fsf@gnu.org> MIME-Version: 1.0 Date: Fri, 8 Nov 2024 01:33:36 +0000 Message-ID: Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 65973 Cc: jporterbugs@gmail.com, ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com, sebastian@sebasmonia.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii writes: > The private information can be in the file name you send as well, so > this is not a convincing argument. True, but then at least it's obvious to the user that private information is being sent. Leaking your username on file upload is not something that I believe most users would expect. I didn't, at least. > But since the RFC says to ignore the leading directories, I think the > change is okay, provided we describe the rationale in the comments to > the code. It is very unusual thing in Emacs to remove leading > directories from a file name, so doing so generally begs for some > commentary. It seems like we agree then, thanks. From unknown Tue Jun 17 20:11:59 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 06 Dec 2024 12:24:09 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator