|
|
Posted by Jerry Stuckle on 10/16/07 12:53
Umberto Salsi wrote:
> Michael Fesser <netizen@gmx.de> wrote:
>
>> .oO(Umberto Salsi)
>>
>>> Remarks: always save the MIME type as provided by the client, never rely on
>>> the "extension"
>> IMHO this might expose new security holes. The MIME type sent from the
>> client (if it is there at all!) is as unreliable as the file extension,
>> anything can be faked. If someone uploads some malicious content (maybe
>> an IE exploit) for example as 'image/jpeg' with a .jpg extension and
>> your script delivers this file in the same way - well, we all know how
>> IE deals with file extensions and content type headers ...
>
> The file "virus.exe" of type "image/jpeg" definitively *is* an image. That
> seeming extension ".exe" indicates an executable only on Windows, but it
> has no particular meaning on other systems and it must be considered simply
> a descriptive appendix of the file name without any particular meaning.
>
How do you know it is an image without verifying it? And what does the
operating system have to do with it? .jpg is used on both Linux and
Windows, for instance.
> The security of the files, their name and type is not a concern of the WEB
> server. The server has only the responsibility to ensure the respect of the
> Internet standards. Internet standards state that the type of a content
> is uniquely specified by a suitable MIME type. The name of the file may
> contain an extension or something that may look similar to an extension,
> but still this name is only a descriptive text that suggest to the client
> a possible name.
>
It should be. People are used to certain extensions, in all OS's. And
if you're any good webmaster at all, you'll take that into consideration.
> If the client file system needs extensions, it is completely under its
> responsibility to ensure a proper name and a proper extension. So our
> "virus.exe" should be translated to "virus.exe.jpg" or "virus_exe.jpg"
> or something alike.
>
But a webmaster builds a site for the users, and a good webmaster takes
users into consideration.
> If you are going to save the file just uploaded into the file system of
> the server, it is completely under the responsibility of your application
> to build a file name and possibly an extension that fit the conventions of
> the underlying file system. Otherwise if you are going to save the meta-data
> into the DB (name and MIME type) you should simply preserve the original
> name and MIME type, whichever the extension may be.
>
Or the conventions of the users. If it's a Windows executable that's
being uploaded, for instance, it should have a .exe extension.
> People using MSIE usually are completely unaware of what they are doing,
> and spend their time downloading many files, and opening many untrusted
> email every day, blindly executing every type of content. So there is very
> little you can do from your WEB site to protect them.
>
That is an overly broad and inaccurate statement. Webmasters who make
such statements do not understand their users and don't know how to
build sites which cater to users.
>>> , there are much more MIME types than available three-letters
>>> readable codes.
>> There are also libraries available to test/sniff MIME types.
>>
>> Micha
>
> These libraries can be useful if you need to convert from the Internet
> name/type representation to some internal name+extension representation.
>
> All IMHO, obviously.
>
> Best regards,
> ___
> /_|_\ Umberto Salsi
> \/_\/ www.icosaedro.it
>
>
The libraries are useful for determining the mime type is correct. You
should not be changing the file name/extension. Rather, if the mime
type is incorrect, you should reject the upload and notify the uploader
as to the reason.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|