Op woensdag 18 januari 2006 11:39, schreef Karoly Negyesi:
Little security is gained by using MIME magic. It's being used so that it's a bit harder (not much) to upload doctored MIME type stuff... The real security is in the following lines which adds .txt to everything text.
Mime is indeed just a small improvement. but as stated before: we already have quite little seccurity: and 0.01 is indeed very small factor of 10. 10 + 0.01 is still ~10. but 0.01 added to 0.01 dubles the number 0.01 +0.01 = 0.02.In other words: it was a significant improvement, only because we (drupal) do far too little (security wise) in uploads and file.inc. Adding a small improvement to very little security makes it significantly more secure :)
If you upload a .GIF which is not an image but an XSS JS and the MIME is text/plain so that IE will go guessing MIME type be it damned forever then if (((substr($file->filemime, 0, 5) == 'text/' will stop the parade.
our .txt replacement is quite insecure. first and for all because it does the (never ever allowed in security land so I am told) opt-in security: Instead of only allowing certain known files to *not* be rewritten, it rewrites only a small subset of stuff that is possible runnable on a server. what about jar, rhtml (ruby), python etc. They are all let trough. we leave it to the admins to configure stuff corerctly, and don't really help them. However; this is all part of betteruplaod plans. But I am fine with you removing it. file.inc needs a lot of work anyway. So dioes uplod.module. Adding a little more work to that will not make a huge difference. People who are really concerned about their security should not lean on uplaod and file.inc anyway, but should add scripts and so behind it, on the server :) I was only raising this concern, because you are voting for removing a part of the little security we do have. -- PGP ber@webschuur.com http://www.webschuur.com/sites/webschuur.com/files/ber_webschuur.asc PGP berkessels@gmx.net http://www.webschuur.com/sites/webschuur.com/files/ber_gmx.asc