Ghostkeeper
commented
3 years ago This is not considered an important bug, because:
- It's extremely rare that a 3MF archive would contain a relationship about a file that is not itself in the archive. While allowed, I know of no application that generates that.
- The path the MustPreserved tag must exactly match a path from a different archive, which is very rare. Purposefully constructing tags like this is harmless (it increases file size a bit, but never beyond the sum of the file sizes of the individual archives being loaded), so there is no security issue.
- If the file is accidentally preserved, that is still valid according to the 3MF specification. Just undesirable.
- This add-on doesn't store files not originating from 3MF archives, so it's no security risk.
When loading an archive, it is possible that the archive contains a MustPreserve relationship pointing to a target that is not in the archive. If that target is present in a different 3MF archive and that archive is loaded as well, then the MustPreserve relationship from one archive is applied to the file in the other archive. As a result, the file from the other archive is preserved, even though that archive didn't indicate that the file should be preserved. If a file does not have the MustPreserve relationship in one archive, the file SHOULD NOT be preserved, according to the specification. As such, preserving that file is undesirable.