diff --git a/xep-0264.xml b/xep-0264.xml index 42b974db..79cee04e 100644 --- a/xep-0264.xml +++ b/xep-0264.xml @@ -28,6 +28,12 @@ ml@update.uu.se mlundblad@jabber.org + + 0.2 + 2009-04-06 + ml +

Add paragraph in security section about protecting agains malicious thumbnail dimensions in offer. Fixed a typo.

 + 0.1 2009-04-02 @@ -64,7 +70,7 @@ file being offered (name, size, and date). There currently is no way to provide

This documents defines a way to include a thumbnail image as an additional metadata in a file transfer.

-

When a client wishes to supply a thumbnail in a transfer offer, it can do so by including an extra ]]> element as show in the following exaples.

+

When a client wishes to supply a thumbnail in a transfer offer, it can do so by including an extra ]]> element as shown in the following exaples.

The inclusion of an image thumbnail may leak information about a transfer otherwise taking place on an e2e encrypted file transfer stream. A client MAY wish to not include a thumbnail.

+

A client MUST not rely on the values specified for the width and height of a thumbnail to allocate a bitmap data buffer for the thumbnail, to prevent possible DoS attacks. Also a client SHOULD apply implementation-specific limits on the thumbnails, if using these values to pepare a UI element for the thumbnail image, of f.ex. 128x128 pixels, values exceeding theese would then be truncated and the thumbnail image scaled down when received.

This document requires no interaction with &IANA;.