Adding reference to symbolic links to the threat models (issue 2322) #2337
Conversation
iherman
changed the title
It's not universal to all zip tools, either, so not sure it would make sense to call it out specifically. Should we say anything in the recommendations about perhaps being less trusting of resources that are not declared in the package document? Something along the lines of although these are allowed, reading systems may want to attempt to verify their format before unpacking/allowing access to them? |
+1
Isn't that a separate issue? If I want to be nasty, I can create a symbolic link, and I then I declare it in the package document. I guess epubcheck may catch this, but that is simply because they are that good :-) |
|
It's true for all resources since you can fake out epubcheck by declaring it as a foreign resource. Won't catch sideloaded content, either. This issue just highlights the problem. |
The PR adds a reference to symbolic links to the threat models of both the core and the RS specs, essentially along the lines of what had been proposed in #2322 (comment). Both threat models already had an item on "malicious content", and that seemed like the good place to add this.
Because the threat models' section implicitly says to RS systems that "you ought to deal with these", adding a separate warning along these lines on symbolic links (and friends), as also mentioned in #2322 (comment), seemed superfluous.
I did not find a proper place to add a note on not using the
-yoption in thezipcommand; we do not refer to that command in the spec in the first place. So I dropped this, too.Fix #2322
See:
Preview | Diff