7. 安全考虑 (Security Considerations)

7. Security Considerations

🇬🇧 英文原文

All form-processing software should treat user supplied form-data with sensitivity, as it often contains confidential or personally identifying information. There is widespread use of form "auto-fill" features in web browsers; these might be used to trick users to unknowingly send confidential information when completing otherwise innocuous tasks. multipart/form-data does not supply any features for checking integrity, ensuring confidentiality, avoiding user confusion, or other security features; those concerns must be addressed by the form-filling and form-data-interpreting applications.

Applications that receive forms and process them must be careful not to supply data back to the requesting form-processing site that was not intended to be sent.

It is important when interpreting the filename of the Content-Disposition header field to not inadvertently overwrite files in the recipient's file space.

User applications that request form information from users must be careful not to cause a user to send information to the requestor or a third party unwillingly or unwittingly.

With the introduction of form-data that can reasonably send back the content of files from a user's file space, the possibility arises that a user might be sent an automated script that fills out a form and then sends one of the user's local files to another address. Thus, additional caution is required when executing automated scripting where form-data might include a user's files.

Files sent via multipart/form-data may contain arbitrary executable content, and precautions against malicious content are necessary. The considerations of Sections 2.3 and 5 of [RFC2183], with respect to the "filename" parameter of the Content-Disposition header field, also apply to its usage here.

🇨🇳 中文翻译

所有表单处理软件都应该谨慎对待用户提供的表单数据,因为它通常包含机密或个人识别信息。Web 浏览器中广泛使用表单 "自动填充" 功能; 这些功能可能被用来欺骗用户在完成看似无害的任务时不知不觉地发送机密信息。multipart/form-data 不提供任何用于检查完整性、确保机密性、避免用户混淆或其他安全功能的特性; 这些问题必须由表单填写和表单数据解释应用程序来解决。

接收和处理表单的应用程序必须小心,不要将本不打算发送的数据提供回请求表单处理站点。

在解释 Content-Disposition 头字段的文件名时,重要的是不要无意中覆盖接收方文件空间中的文件。

从用户请求表单信息的用户应用程序必须小心,不要导致用户不情愿或不知不觉地将信息发送给请求者或第三方。

随着表单数据的引入,可以合理地从用户的文件空间发送回文件的内容,可能出现这样的情况: 用户可能会收到一个自动化脚本,该脚本填写表单,然后将用户的本地文件之一发送到另一个地址。因此,在执行可能包含用户文件的表单数据的自动化脚本时需要额外小心。

通过 multipart/form-data 发送的文件可能包含任意可执行内容,因此需要采取预防措施防止恶意内容。[RFC2183] 的第 2.3 节和第 5 节关于 Content-Disposition 头字段的 "filename" 参数的考虑也适用于此处的使用。