From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Jim Porter <jporterbugs@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#65973: [PATCH] ; send filename, not full path, on EWW form submit
Date: Tue, 5 Nov 2024 11:36:25 -0800
Message-ID: <4215339a-e797-6198-2e40-8d577e1fec42@gmail.com>
References: <ZQKjw9QkW5lMSX5Z@challenge-bot.com>
 <CACT2Ongj3eAV0DYcUBedV8T+kbpGM2sZAV7KBWLFEAvx+LwW9w@mail.gmail.com>
 <thqn4j4lhhq1.fsf@sebasmonia.com> <86bjyttxql.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="22743"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: ozzloy@challenge-bot.com, 65973@debbugs.gnu.org, ozzloy@gmail.com
To: Eli Zaretskii <eliz@gnu.org>,
 =?UTF-8?Q?Sebasti=C3=A1n_?= =?UTF-8?Q?Mon=C3=ADa?=
 <sebastian@sebasmonia.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Nov 05 20:38:28 2024
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1t8PNk-0005lj-Bf
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 05 Nov 2024 20:38:28 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1t8PNQ-0007dQ-AO; Tue, 05 Nov 2024 14:38:08 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1t8PNK-0007dE-TB
 for bug-gnu-emacs@gnu.org; Tue, 05 Nov 2024 14:38:02 -0500
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1t8PNK-0005Zh-0G
 for bug-gnu-emacs@gnu.org; Tue, 05 Nov 2024 14:38:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org; 
 h=In-Reply-To:From:References:MIME-Version:Date:To:Subject;
 bh=9Z94Vc0snWrJMcdvKtJ3SqRXcL43Cipk41wRlezvTeo=; 
 b=RP/zlEkL9TnVXagNiGTZh22p3w2Ii/m7hp8WXzW65UUwg3o9MD6ssevCT1ZmzFi+2zwyvEvJMFFU5pNGYt7Y/OqcKok7gqJOxveeVzg8Sv4QFwkRgjG5+9LtKfjSX1laz3Ou3Zk2R0kjFP4yBPdUKSpO8m1aagwP0eHOQltFtfb+U8f8Rkm3qLQWLYUGEoh35IQWivJZS8keqIoxmH12JXYMz3PauQ/bB9QnQalGkszglOvjm6JttK2g3sumy/BXJZzzohOnBaoKCDi6ZGFuP/smhfpPKUiFtxsWMDoi1wyGEjXTNZSmu0ghyRgaWErW/OZt8JSkdT0f2NRGWNL8jw==;
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1t8PNJ-0002vH-RF
 for bug-gnu-emacs@gnu.org; Tue, 05 Nov 2024 14:38:01 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Jim Porter <jporterbugs@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 05 Nov 2024 19:38:01 +0000
Resent-Message-ID: <handler.65973.B65973.173083545711200@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 65973
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 65973-submit@debbugs.gnu.org id=B65973.173083545711200
 (code B ref 65973); Tue, 05 Nov 2024 19:38:01 +0000
Original-Received: (at 65973) by debbugs.gnu.org; 5 Nov 2024 19:37:37 +0000
Original-Received: from localhost ([127.0.0.1]:37997 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1t8PMu-0002ua-Rg
 for submit@debbugs.gnu.org; Tue, 05 Nov 2024 14:37:37 -0500
Original-Received: from mail-pg1-f170.google.com ([209.85.215.170]:42179)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jporterbugs@gmail.com>) id 1t8PMs-0002uN-I9
 for 65973@debbugs.gnu.org; Tue, 05 Nov 2024 14:37:36 -0500
Original-Received: by mail-pg1-f170.google.com with SMTP id
 41be03b00d2f7-7ea7ad1e01fso122679a12.0
 for <65973@debbugs.gnu.org>; Tue, 05 Nov 2024 11:37:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1730835388; x=1731440188; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:mime-version:date:message-id:from:to:cc
 :subject:date:message-id:reply-to;
 bh=9Z94Vc0snWrJMcdvKtJ3SqRXcL43Cipk41wRlezvTeo=;
 b=ER7F7wYFHAnTD86hE1CgHflkn7N9aqc5dQX8gJJWXiW/6El89lonP1DgCUEi2GBm96
 JjIvUjIWZmLqjHoJGbcww5UX+fUOh6gr/G7K4HjDblzdE5mG4yMPB0FS+PXTUJK8PISh
 NG8JjtsL0AgvQnMbzZegjlnVFvmPE/FnqUiD0mZTcS56ABO07ivnqGP5xSMSKAyKb5Hf
 SOvC4ihtohugy7o+ajFY1Q66W9dU3AGMpEg+ryq+WeZ3G3snJ2nZ7f8B5ZXmSTRFM4lQ
 ug2VMPq987TEpGGdDoRK3LNe/5XvJOjaWQi5MijLIJNm7XzSJKtFTulHjj9VVL0d6TVC
 fZhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1730835388; x=1731440188;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=9Z94Vc0snWrJMcdvKtJ3SqRXcL43Cipk41wRlezvTeo=;
 b=YDyLGp5YWIknDenjPLJXLz4ZTUSCgTiiKR/YGODtxiVLpO1S2+Dimtq4ERJUJ1TbtA
 VwrxCNyLhk6TQujIheItkz5DXSAJZaCzZOrdQm43akN2Ae3kLaI000P9fdGaDGwZVXWW
 hazFLH8OcsK4WovyP27ipydPM9d6alDQ9tGtt7KDzLztRxAt88IUp0KxIPCG5ZNVVLno
 FBhIP04gPRpgDm0OTKNA+sSTKKju2NFzQfTp1ZPwczug4pYCvBKvLo6GM1lMJD6ua1ZY
 C0v086h06uamJgyHvkaIMsqffY1LVv2sEBOZOPMgiZKZIdmsTr3+8Pzw7fao9S7yZE0i
 7eJg==
X-Forwarded-Encrypted: i=1;
 AJvYcCW93fo/tgHss37T5apYM8yToVcMQr2DjSBT+M12iaUORK/hXfm2CfXbtz7itOnHicQhR+L+yg==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YwZYqK5wjRGvx5yPW1v7TIDYvTJ+iKTf0Q1A6gwBzqF1PSbgogU
 m/T47JmNaD/d2mJKsLUhy33htPcCjezeIPlGkI3AcJ5EwilxBBtn
X-Google-Smtp-Source: AGHT+IFr4X1GoAFV0il1ueiRhBARWjFOhPUu0J+50xJ9zcMXRld7rXCaBrDU8JfzYoSiBasEAU7p0w==
X-Received: by 2002:a17:90b:1b44:b0:2e0:7e80:2011 with SMTP id
 98e67ed59e1d1-2e94c21cd58mr27726915a91.16.1730835386922; 
 Tue, 05 Nov 2024 11:36:26 -0800 (PST)
Original-Received: from [192.168.1.2] (syn-023-240-098-037.res.spectrum.com.
 [23.240.98.37]) by smtp.googlemail.com with ESMTPSA id
 98e67ed59e1d1-2e92fa26a38sm12351187a91.22.2024.11.05.11.36.26
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 05 Nov 2024 11:36:26 -0800 (PST)
Content-Language: en-US
In-Reply-To: <86bjyttxql.fsf@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:294920
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/294920>

On 11/5/2024 9:08 AM, Eli Zaretskii wrote:
>> Cc: daniel watson <ozzloy@challenge-bot.com>, 65973@debbugs.gnu.org
>> From: Sebastián Monía
>>   <sebastian@sebasmonia.com>
>> Date: Tue, 05 Nov 2024 09:34:46 -0500
>>
>>
>> /added Jim for visibility/
>>
>> This seems like something simple enough to merge.
>> Thoughts?
>>
>> ozzloy <ozzloy@gmail.com> writes:
>>>   bump
>>>
>>>   On Wed, Sep 13, 2023 at 11:10 PM daniel watson <ozzloy@challenge-bot.com> wrote:
>>>
>>>   0. in one terminal, run this http server
>>>      https://git.sr.ht/~ozzloy/emacs-bug-63941/tree/master/item/server.py
>>>   1. in another terminal, run
>>>      socat -v tcp-listen:8086,fork tcp:localhost:8085
>>>   2. browse to the page with EWW,
>>>      M-x eww <ENTER> localhost:8086 <ENTER>
>>>   3. put the cursor on the word "Browse" <ENTER>
>>>   4. select any file to which you have read access for uploading
>>>   5. put cursor on "Submit" <ENTER>
>>>   6. observe the full path of the file is sent to the server.  this is
>>>      visible in both the python output and the socat output.
>>>
>>>   i'm including the diff inline to make it easier to review without
>>>   downloading the attached file.
> 
> I'd like some rationale for this change.  The original report never
> explains why sending the full absolute file name to the server is bad.

I see three possible reasons: 1) there could be (probably minor) privacy 
issues with sending the directory structure along to a server; 2) as far 
as I'm aware, other browsers only pass the "leaf" of the filename; 3) 
RFC 2813 says that *recipients* should ignore any directories:

    The receiving MUA SHOULD NOT respect any directory path information
    that may seem to be present in the filename parameter.  The filename
    should be treated as a terminal component only.  Portable
    specification of directory paths might possibly be done in the future
    via a separate Content-Disposition parameter, but no provision is
    made for it in this draft.

RFC 2813 is primarily about mail clients, but MDN suggests following it 
in a web context as well: 
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition>. 
So I think the RFC would suggest that it's *allowed* to send the 
directories in the "filename" field, but since the server is supposed to 
ignore it, there's no benefit to doing so.