1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-11-28 04:02:20 -05:00

Add paragraph in security section about protecting agains malicious thumbnail dimensions in offer. Fixed a typo.

git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@3000 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Marcus Lundblad 2009-04-06 18:23:26 +00:00
parent 06e342152c
commit 094b66f592

View File

@ -28,6 +28,12 @@
<email>ml@update.uu.se</email>
<jid>mlundblad@jabber.org</jid>
</author>
<revision>
<version>0.2</version>
<date>2009-04-06</date>
<initials>ml</initials>
<remark><p>Add paragraph in security section about protecting agains malicious thumbnail dimensions in offer. Fixed a typo.</p></remark>
</revision>
<revision>
<version>0.1</version>
<date>2009-04-02</date>
@ -64,7 +70,7 @@ file being offered (name, size, and date). There currently is no way to provide
<p>This documents defines a way to include a thumbnail image as an additional metadata in a file transfer.</p>
</section1>
<section1 topic='Use Case' anchor='usecase'>
<p>When a client wishes to supply a thumbnail in a transfer offer, it can do so by including an extra <![CDATA[<thumbnail/>]]> element as show in the following exaples.</p>
<p>When a client wishes to supply a thumbnail in a transfer offer, it can do so by including an extra <![CDATA[<thumbnail/>]]> element as shown in the following exaples.</p>
<example caption='Inclusion of a thumbnail in SI file transfer offer'><![CDATA[
<iq type='set' id='offer1' to='receiver@jabber.org/resource'>
<si xmlns='http://jabber.org/protocol/si'
@ -162,6 +168,7 @@ file being offered (name, size, and date). There currently is no way to provide
<p>The inclusion of an image thumbnail may leak information about a transfer
otherwise taking place on an e2e encrypted file transfer stream. A client MAY
wish to not include a thumbnail.</p>
<p>A client MUST not rely on the values specified for the width and height of a thumbnail to allocate a bitmap data buffer for the thumbnail, to prevent possible DoS attacks. Also a client SHOULD apply implementation-specific limits on the thumbnails, if using these values to pepare a UI element for the thumbnail image, of f.ex. 128x128 pixels, values exceeding theese would then be truncated and the thumbnail image scaled down when received.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
<p>This document requires no interaction with &IANA;.</p>