GNU bug report logs - #65973
[PATCH] ; send filename, not full path, on EWW form submit

Previous Next

Full log

Message #26 received at 65973 <at> debbugs.gnu.org (full text, mbox):

From: Sebastián Monía <sebastian <at> sebasmonia.com>
To: Jim Porter <jporterbugs <at> gmail.com>
Cc: Eli Zaretskii <eliz <at> gnu.org>, ozzloy <at> challenge-bot.com,
 65973 <at> debbugs.gnu.org, ozzloy <at> gmail.com
Subject: Re: bug#65973: [PATCH] ; send filename, not full path, on EWW form
 submit
Date: Tue, 05 Nov 2024 22:30:01 -0500

Jim Porter <jporterbugs <at> gmail.com> writes:
> On 11/5/2024 9:08 AM, Eli Zaretskii wrote:
>> I'd like some rationale for this change.  The original report never
>> explains why sending the full absolute file name to the server is bad.
>
> I see three possible reasons: 1) there could be (probably minor)
> privacy issues with sending the directory structure along to a server;
> 2) as far as I'm aware, other browsers only pass the "leaf" of the
> filename; 3) RFC 2813 says that *recipients* should ignore any
> directories: [...]
> RFC 2813 is primarily about mail clients, but MDN suggests following
> it in a web context as well:
> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition>.

> So I think the RFC would suggest that it's *allowed* to send the
> directories in the "filename" field, but since the server is supposed
> to ignore it, there's no benefit to doing so.

I didn't get as far as Jim did. I assumed the concern was #1, and I knew
the rest of the path is ignored, so figured we should go ahead.

Regards,
Seb

-- 
Sebastián Monía
https://site.sebasmonia.com/

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.