Security Considerations for properties that accept file upload #89
Description
Section 3.3.1 Uploading Files has two sentences that do not seem consistent:
... the Micropub endpoint MUST also accept a URL value, treating that the same as if the file had been uploaded directly. The endpoint MAY download [Fetch] a copy of the file at the URL and store it the same way it would store the file if it had been uploaded directly.
If the endpoint MUST treat the property as if the file had been uploaded directly then (presuming it doesn't simply ignore the content) what other option does it have than to download the content from that URL?
Irrespective of whether the MAY should be SHOULD, Section 6.1 Security and Privacy is incomplete in that it does not mention considerations for an endpoint when it fetches an arbitrary URL presented to it in lieu of uploading a file. At least a note about defensive measures is warranted.