From 094b66f592486406dac96aa1af47829f87a76e5f Mon Sep 17 00:00:00 2001 From: Marcus Lundblad Date: Mon, 6 Apr 2009 18:23:26 +0000 Subject: [PATCH] Add paragraph in security section about protecting agains malicious thumbnail dimensions in offer. Fixed a typo. git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@3000 4b5297f7-1745-476d-ba37-a9c6900126ab --- xep-0264.xml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/xep-0264.xml b/xep-0264.xml index 42b974db..79cee04e 100644 --- a/xep-0264.xml +++ b/xep-0264.xml @@ -28,6 +28,12 @@ ml@update.uu.se mlundblad@jabber.org + + 0.2 + 2009-04-06 + ml +

Add paragraph in security section about protecting agains malicious thumbnail dimensions in offer. Fixed a typo.

 + 0.1 2009-04-02 @@ -64,7 +70,7 @@ file being offered (name, size, and date). There currently is no way to provide

This documents defines a way to include a thumbnail image as an additional metadata in a file transfer.

-

When a client wishes to supply a thumbnail in a transfer offer, it can do so by including an extra ]]> element as show in the following exaples.

+

When a client wishes to supply a thumbnail in a transfer offer, it can do so by including an extra ]]> element as shown in the following exaples.

The inclusion of an image thumbnail may leak information about a transfer otherwise taking place on an e2e encrypted file transfer stream. A client MAY wish to not include a thumbnail.

+

A client MUST not rely on the values specified for the width and height of a thumbnail to allocate a bitmap data buffer for the thumbnail, to prevent possible DoS attacks. Also a client SHOULD apply implementation-specific limits on the thumbnails, if using these values to pepare a UI element for the thumbnail image, of f.ex. 128x128 pixels, values exceeding theese would then be truncated and the thumbnail image scaled down when received.

This document requires no interaction with &IANA;.