application/postscript

MIME型 application/postscript

[3] application/postscript は、 PostScript プログラムを表す MIME型です >>2

仕様書

意味

[4] application/postscript が規定された時点で PostScript には水準1と水準2がありますが >>2、どちらにも使えます。

[7] PostScript DSC (document structuring conventions) は必須ではありませんが、 相互運用性のため強く推奨されています >>2

[5] PostScriptAdobe Systems, Inc.登録商標であり、 application/postscript MIME型を使うことは、 本商標とそれにより課されるすべての権利を認識 (recognition) することを暗示しています >>2

[6] それが具体的に何を求めているのかは謎です。

処理

[8] 一般目的の PostScript 解釈器にデータを引き渡すと、セキュリティー上の問題を引き起こすことがあります。 MIME の実装は次のような点に注意する必要があります。 >>2

  • [9] deletefile などファイル操作の演算があります。 送信者は避けるべきですし、受信者は危険な操作を無効にするか、 特権を持たせないよう注意するべきです。
  • [10] 通常の解釈器などを終了させる演算があり、「外側」の環境への変更が残ったまま次の文書が処理されることになるかもしれません。 従ってサービス拒否攻撃となる危険性があります。 送信者はそうした操作に依存するべきではありませんし、 受信者は startjobexitserver の操作を除去したり無効化したりして変更が環境に残らないようにするべきです。
  • [11] setsystemparams などシステムや装置の引数を変更する演算があります。 送信者はそうしたものが正しく動作することに依存するべきではありませんし、 受信者は変更を無効化するべきです。
  • [12] 実装によっては非標準ながら機械コードの直接実行機能があります。 送信者は使うべきではありませんし、受信者は実行するべきではありません。
  • [13] 送信者は非標準の拡張を使うべきではありませんし、 受信者は危険がないようにするべきです。
  • [14] システムの資源を大量に消費したり、無限ループに陥ったりするかもしれません。 送信者はそのようなものを避けるべきですし、 受信者は十分な時間が経過した処理を中断する仕組みを提供するべきです。 またシステムの資源の消費量を制限するべきです。
  • [15] 生のバイナリーデータを含めることができますが、インターネットメールでは推奨されていません。
  • [16] 解釈器の不具合により受信者のシステムを操作できるかもしれません。

歴史

[1] RFC 2046 4.5.2. PostScript Subtype PostScript 亜型

A media type of "application/postscript" indicates a PostScript program. Currently two variants of the PostScript language are allowed; the original level 1 variant is described in [POSTSCRIPT] and the more recent level 2 variant is described in [POSTSCRIPT2].

媒体型 "application/postscript" は PostScript プログラムを示します。現在 PostScript 言語は2種類が認められます。 元の水準1は [POSTSCRIPT] で説明されています。 比較的新しい水準2は [POSTSCRIPT2] で説明されています。

PostScript is a registered trademark of Adobe Systems, Inc. Use of the MIME media type "application/postscript" implies recognition of that trademark and all the rights it entails.

PostScript は Adobe Systems, Inc. の登録商標です。 MIME 媒体型 "application/postscript" の使用は、この商標とそれに伴う全ての権利を認識することを必要とします。

The PostScript language definition provides facilities for internal labelling of the specific language features a given program uses. This labelling, called the PostScript document structuring conventions, or DSC, is very general and provides substantially more information than just the language level. The use of document structuring conventions, while not required, is strongly recommended as an aid to interoperability. Documents which lack proper structuring conventions cannot be tested to see whether or not they will work in a given environment. As such, some systems may assume the worst and refuse to process unstructured documents.

PostScript 言語定義は当該プログラムが使う特定言語機能の内部札付け機能を用意しています。この札付けは PostScript 文書構造協定 日本語定訳ありますか?, DSC と呼ばれますが、これは非常に一般的で本質的に単なる言語層以上の情報を提供するものです。 文書構造協定の使用は、必須ではありませんが、相互通信性の向上のために強く推奨します。 適切な構造協定のない文書は当該環境で機能するかどうかを試験することが出来ません。 ですから、構造協定のない文書を最悪とみなして処理するのを拒む処理系があります。

The execution of general-purpose PostScript interpreters entails serious security risks, and implementors are discouraged from simply sending PostScript bodies to "off-the-shelf" interpreters. While it is usually safe to send PostScript to a printer, where the potential for harm is greatly constrained by typical printer environments, implementors should consider all of the following before they add interactive display of PostScript bodies to their MIME readers.

一般目的の PostScript 解釈器の実行は重大な安全上の危険を伴うので、実装者には PostScript 本体を単純に 「off-the-shelf」なんて訳せばいいでしょ?解釈器に送ってしまわないことを推奨します。通常、 PostScript を印刷機に送ることは、害する可能性を典型的な印刷機環境は強く抑制してしまうので安全ですが、実装者は PostScript 本体を MIME 読者に対話型表示する前に次の全てを考慮するのが良いです。

The remainder of this section outlines some, though probably not all, of the possible problems with the transport of PostScript entities.

この節の残りの部分では、 PostScript 実体の転送に伴い起こり得る問題の, おそらく全てではありませんが幾つかを概説します。

    (1)   Dangerous operations in the PostScript language
          include, but may not be limited to, the PostScript
          operators "deletefile", "renamefile", "filenameforall",
          and "file".  "File" is only dangerous when applied to
          something other than standard input or output.
          Implementations may also define additional nonstandard
          file operators; these may also pose a threat to
          security. "Filenameforall", the wildcard file search
          operator, may appear at first glance to be harmless.
          Note, however, that this operator has the potential to
          reveal information about what files the recipient has
          access to, and this information may itself be
          sensitive.  Message senders should avoid the use of
          potentially dangerous file operators, since these
          operators are quite likely to be unavailable in secure
          PostScript implementations.  Message receiving and
          displaying software should either completely disable
          all potentially dangerous file operators or take
          special care not to delegate any special authority to
          their operation.  These operators should be viewed as
          being done by an outside agency when interpreting
          PostScript documents.  Such disabling and/or checking
          should be done completely outside of the reach of the
          PostScript language itself; care should be taken to
          insure that no method exists for re-enabling full-
          function versions of these operators.
    (2)   The PostScript language provides facilities for exiting
          the normal interpreter, or server, loop.  Changes made
          in this "outer" environment are customarily retained
          across documents, and may in some cases be retained
          semipermanently in nonvolatile memory.  The operators
          associated with exiting the interpreter loop have the
          potential to interfere with subsequent document
          processing.  As such, their unrestrained use
          constitutes a threat of service denial.  PostScript
          operators that exit the interpreter loop include, but
          may not be limited to, the exitserver and startjob
          operators.  Message sending software should not
          generate PostScript that depends on exiting the
          interpreter loop to operate, since the ability to exit
          will probably be unavailable in secure PostScript
          implementations.  Message receiving and displaying
          software should completely disable the ability to make
          retained changes to the PostScript environment by
          eliminating or disabling the "startjob" and
          "exitserver" operations.  If these operations cannot be
          eliminated or completely disabled the password
          associated with them should at least be set to a hard-
          to-guess value.
    (3)   PostScript provides operators for setting system-wide
          and device-specific parameters.  These parameter
          settings may be retained across jobs and may
          potentially pose a threat to the correct operation of
          the interpreter.  The PostScript operators that set
          system and device parameters include, but may not be
          limited to, the "setsystemparams" and "setdevparams"
          operators.  Message sending software should not
          generate PostScript that depends on the setting of
          system or device parameters to operate correctly.  The
          ability to set these parameters will probably be
          unavailable in secure PostScript implementations.
          Message receiving and displaying software should
          disable the ability to change system and device
          parameters.  If these operators cannot be completely
          disabled the password associated with them should at
          least be set to a hard-to-guess value.
    (4)   Some PostScript implementations provide nonstandard
          facilities for the direct loading and execution of
          machine code.  Such facilities are quite obviously open
          to substantial abuse.  Message sending software should
          not make use of such features.  Besides being totally
          hardware-specific, they are also likely to be
          unavailable in secure implementations of PostScript.
          Message receiving and displaying software should not
          allow such operators to be used if they exist.
    (5)   PostScript is an extensible language, and many, if not
          most, implementations of it provide a number of their
          own extensions.  This document does not deal with such
          extensions explicitly since they constitute an unknown
          factor.  Message sending software should not make use
          of nonstandard extensions; they are likely to be
          missing from some implementations.  Message receiving
          and displaying software should make sure that any
          nonstandard PostScript operators are secure and don't
          present any kind of threat.
    (6)   It is possible to write PostScript that consumes huge
          amounts of various system resources.  It is also
          possible to write PostScript programs that loop
          indefinitely.  Both types of programs have the
          potential to cause damage if sent to unsuspecting
          recipients.  Message-sending software should avoid the
          construction and dissemination of such programs, which
          is antisocial.  Message receiving and displaying
          software should provide appropriate mechanisms to abort
          processing after a reasonable amount of time has
          elapsed. In addition, PostScript interpreters should be
          limited to the consumption of only a reasonable amount
          of any given system resource.
    (7)   It is possible to include raw binary information inside
          PostScript in various forms.  This is not recommended
          for use in Internet mail, both because it is not
          supported by all PostScript interpreters and because it
          significantly complicates the use of a MIME Content-
          Transfer-Encoding.  (Without such binary, PostScript
          may typically be viewed as line-oriented data.  The
          treatment of CRLF sequences becomes extremely
          problematic if binary and line-oriented data are mixed
          in a single Postscript data stream.)
    (8)   Finally, bugs may exist in some PostScript interpreters
          which could possibly be exploited to gain unauthorized
          access to a recipient's system.  Apart from noting this
          possibility, there is no specific action to take to
          prevent this, apart from the timely correction of such
          bugs if any are found.

関連

[17] PDF 用には application/pdf があります。

メモ