Posted by Michael Fesser on 10/16/07 19:28

..oO(Umberto Salsi)

>Michael Fesser <netizen@gmx.de> wrote:
>
>> .oO(Umberto Salsi)
>>
>> >Remarks: always save the MIME type as provided by the client, never rely on
>> >the "extension"
>>
>> IMHO this might expose new security holes. The MIME type sent from the
>> client (if it is there at all!) is as unreliable as the file extension,
>> anything can be faked. If someone uploads some malicious content (maybe
>> an IE exploit) for example as 'image/jpeg' with a .jpg extension and
>> your script delivers this file in the same way - well, we all know how
>> IE deals with file extensions and content type headers ...
>
>The file "virus.exe" of type "image/jpeg" definitively *is* an image.

It could be anything, unless you have a closer look at its content.
That's the only way to ensure that an uploaded file is really what you
expect or what it claims to be. A MIME type info sent from the client is
just as descriptive or decorative as the file's extension.

>The security of the files, their name and type is not a concern of the WEB
>server. The server has only the responsibility to ensure the respect of the
>Internet standards. Internet standards state that the type of a content
>is uniquely specified by a suitable MIME type.

Yes, but how do you get the _correct_ MIME type for an uploaded file?
The client _may_ send one or not. If there is one, it _may_ be correct
or faked. You can't rely on that.

>If the client file system needs extensions, it is completely under its
>responsibility to ensure a proper name and a proper extension. So our
>"virus.exe" should be translated to "virus.exe.jpg" or "virus_exe.jpg"
>or something alike.

Yes, it _should_. But the world's most used browser doesn't really care
about MIME types and proper handling of received files, that's the
problem.

>People using MSIE usually are completely unaware of what they are doing,
>and spend their time downloading many files, and opening many untrusted
>email every day, blindly executing every type of content. So there is very
>little you can do from your WEB site to protect them.

You can at least make sure that they won't receive malicious files from
your own site.

Micha

• Next in forum: Re: Ping: OMH
• Prev in forum: Re: private var = $_SESSION['var'];
• Thread view: Re: OT: security

[Reply to this message]