GNU bug report logs - #65973
[PATCH] ; send filename, not full path, on EWW form submit

Previous Next

Package: emacs;

Reported by: daniel watson <ozzloy <at> challenge-bot.com>

Date: Thu, 14 Sep 2023 07:48:01 UTC

Severity: normal

Tags: patch

Done: Jim Porter <jporterbugs <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #23 received at 65973 <at> debbugs.gnu.org (full text, mbox):

From: Jim Porter <jporterbugs <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>, Sebastián Monía
 <sebastian <at> sebasmonia.com>
Cc: ozzloy <at> challenge-bot.com, 65973 <at> debbugs.gnu.org, ozzloy <at> gmail.com
Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form
 submit
Date: Tue, 5 Nov 2024 11:36:25 -0800

On 11/5/2024 9:08 AM, Eli Zaretskii wrote:
>> Cc: daniel watson <ozzloy <at> challenge-bot.com>, 65973 <at> debbugs.gnu.org
>> From: Sebastián Monía
>>   <sebastian <at> sebasmonia.com>
>> Date: Tue, 05 Nov 2024 09:34:46 -0500
>>
>>
>> /added Jim for visibility/
>>
>> This seems like something simple enough to merge.
>> Thoughts?
>>
>> ozzloy <ozzloy <at> gmail.com> writes:
>>>   bump
>>>
>>>   On Wed, Sep 13, 2023 at 11:10 PM daniel watson <ozzloy <at> challenge-bot.com> wrote:
>>>
>>>   0. in one terminal, run this http server
>>>      https://git.sr.ht/~ozzloy/emacs-bug-63941/tree/master/item/server.py
>>>   1. in another terminal, run
>>>      socat -v tcp-listen:8086,fork tcp:localhost:8085
>>>   2. browse to the page with EWW,
>>>      M-x eww <ENTER> localhost:8086 <ENTER>
>>>   3. put the cursor on the word "Browse" <ENTER>
>>>   4. select any file to which you have read access for uploading
>>>   5. put cursor on "Submit" <ENTER>
>>>   6. observe the full path of the file is sent to the server.  this is
>>>      visible in both the python output and the socat output.
>>>
>>>   i'm including the diff inline to make it easier to review without
>>>   downloading the attached file.
> 
> I'd like some rationale for this change.  The original report never
> explains why sending the full absolute file name to the server is bad.

I see three possible reasons: 1) there could be (probably minor) privacy 
issues with sending the directory structure along to a server; 2) as far 
as I'm aware, other browsers only pass the "leaf" of the filename; 3) 
RFC 2813 says that *recipients* should ignore any directories:

   The receiving MUA SHOULD NOT respect any directory path information
   that may seem to be present in the filename parameter.  The filename
   should be treated as a terminal component only.  Portable
   specification of directory paths might possibly be done in the future
   via a separate Content-Disposition parameter, but no provision is
   made for it in this draft.

RFC 2813 is primarily about mail clients, but MDN suggests following it 
in a web context as well: 
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition>. 
So I think the RFC would suggest that it's *allowed* to send the 
directories in the "filename" field, but since the server is supposed to 
ignore it, there's no benefit to doing so.
This bug report was last modified 193 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.