12.5.3 grammatical error #1206

jmanico · 2022-02-02T12:42:08Z

12.5.3	[MODIFIED, MOVED FROM 12.3.4] Verify that the application validates or ignores user-submitted filenames, including in a JSON, JSONP, or URL parameter. The response Content-Type header and Content-Disposition header should be fixed to the file and securely handled by the application instead of the user.

tghosth · 2022-12-07T17:18:39Z

@set-reminder 3 weeks look at this

octo-reminder · 2022-12-07T17:18:42Z

⏰ Reminder
Wednesday, December 28, 2022 12:00 AM (GMT+01:00)

look at this

tghosth · 2022-12-20T07:54:45Z

Based on w3c/webappsec-post-spectre-webdev@f1728a1 and w3c/webappsec-post-spectre-webdev#1 and #1004 and #721 and #1008, I don't think Reflected File Download is a relevant attack any more.

As such, I want to streamline this requirement to be more specific.

tghosth · 2022-12-20T08:04:18Z

Created #1458

elarlang · 2022-12-20T10:04:31Z

From proposal 02573dd

#	Description	L1	L2	L3	CWE
12.5.3	[MODIFIED, SPLIT FROM 12.3.4] Verify that the application validates or ignores user-submitted filenames, including in a JSON, JSONP, or URL parameter and specifies a filename in the Content-Disposition header in the response.	✓	✓	✓	641
12.5.4	[MODIFIED, SPLIT FROM 12.3.4] Verify that the Content-Type header is set to the appropriate type for the file being downloaded.	✓	✓	✓	430

I think proposed 12.5.4 is duplicating current 14.4.1:

#	Description	L1	L2	L3	CWE
14.4.1	Verify that every HTTP response contains a Content-Type header. Also specify a safe character set (e.g., UTF-8, ISO-8859-1) if the content types are text/*, /+xml and application/xml. Content must match with the provided Content-Type header.	✓	✓	✓	173

And actually, how relevant the Content-Type header value is for downloaded file? Downloaded file is opened in local operation system based on file extension I guess.

Current 12.5.3 potentially overlaps a bit with #1390

tghosth · 2022-12-20T10:52:47Z

#1390 should maybe be a new requirement in 12.5.x

Having read this I am still undecided about what the content type should be.

I am however inclined to skip 12.5.4 and rely on 14.4.1 which I agree kinda already covers it.

What do you think?

octo-reminder · 2022-12-27T23:00:05Z

🔔 @tghosth

look at this

jmanico added the owasp_class_hel label Feb 2, 2022

elarlang mentioned this issue Feb 2, 2022

12.5.3 #1205

Closed

elarlang assigned jmanico Oct 8, 2022

tghosth assigned tghosth and unassigned jmanico Dec 7, 2022

tghosth added 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR _5.0 - prep This needs to be addressed to prepare 5.0 labels Dec 7, 2022

tghosth added the reminder label Dec 7, 2022

tghosth mentioned this issue Dec 20, 2022

Clarifying file download requirements #1458

Merged

tghosth linked a pull request Dec 20, 2022 that will close this issue

Clarifying file download requirements #1458

Merged

tghosth removed their assignment Dec 20, 2022

tghosth added 6) PR awaiting review and removed 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR labels Dec 20, 2022

jmanico closed this as completed in #1458 Jan 2, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

12.5.3 grammatical error #1206

12.5.3 grammatical error #1206

jmanico commented Feb 2, 2022

tghosth commented Dec 7, 2022

octo-reminder bot commented Dec 7, 2022

tghosth commented Dec 20, 2022

tghosth commented Dec 20, 2022

elarlang commented Dec 20, 2022

tghosth commented Dec 20, 2022

octo-reminder bot commented Dec 27, 2022

12.5.3 grammatical error #1206

12.5.3 grammatical error #1206

Comments

jmanico commented Feb 2, 2022

tghosth commented Dec 7, 2022

octo-reminder bot commented Dec 7, 2022

tghosth commented Dec 20, 2022

tghosth commented Dec 20, 2022

elarlang commented Dec 20, 2022

tghosth commented Dec 20, 2022

octo-reminder bot commented Dec 27, 2022