|
|
Posted by Umberto Salsi on 10/16/07 12:11
Michael Fesser <netizen@gmx.de> wrote:
> .oO(Umberto Salsi)
>
> >Remarks: always save the MIME type as provided by the client, never rely on
> >the "extension"
>
> IMHO this might expose new security holes. The MIME type sent from the
> client (if it is there at all!) is as unreliable as the file extension,
> anything can be faked. If someone uploads some malicious content (maybe
> an IE exploit) for example as 'image/jpeg' with a .jpg extension and
> your script delivers this file in the same way - well, we all know how
> IE deals with file extensions and content type headers ...
The file "virus.exe" of type "image/jpeg" definitively *is* an image. That
seeming extension ".exe" indicates an executable only on Windows, but it
has no particular meaning on other systems and it must be considered simply
a descriptive appendix of the file name without any particular meaning.
The security of the files, their name and type is not a concern of the WEB
server. The server has only the responsibility to ensure the respect of the
Internet standards. Internet standards state that the type of a content
is uniquely specified by a suitable MIME type. The name of the file may
contain an extension or something that may look similar to an extension,
but still this name is only a descriptive text that suggest to the client
a possible name.
If the client file system needs extensions, it is completely under its
responsibility to ensure a proper name and a proper extension. So our
"virus.exe" should be translated to "virus.exe.jpg" or "virus_exe.jpg"
or something alike.
If you are going to save the file just uploaded into the file system of
the server, it is completely under the responsibility of your application
to build a file name and possibly an extension that fit the conventions of
the underlying file system. Otherwise if you are going to save the meta-data
into the DB (name and MIME type) you should simply preserve the original
name and MIME type, whichever the extension may be.
People using MSIE usually are completely unaware of what they are doing,
and spend their time downloading many files, and opening many untrusted
email every day, blindly executing every type of content. So there is very
little you can do from your WEB site to protect them.
> >, there are much more MIME types than available three-letters
> >readable codes.
>
> There are also libraries available to test/sniff MIME types.
>
> Micha
These libraries can be useful if you need to convert from the Internet
name/type representation to some internal name+extension representation.
All IMHO, obviously.
Best regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it
Navigation:
[Reply to this message]
|