killing mime magic (was: Re: [development] Drupal 4.7 release schedule)

Bèr Kessels ber at
Wed Jan 18 10:26:05 UTC 2006

Op woensdag 18 januari 2006 07:26, schreef Karoly Negyesi:
> These two are cured by killing MIME magic. I am sorry, but that's the best
>   we can do.

Note that already we have a potential security breah in our uploads. PHP is 
not very good at checking the uploads, Drupal is just a tad worse. 
Our server maintainer (a notorious security person) pointed me at it and 
proved that it is very easy to misconfigure drupal / or the server so that 
one opens up. Now, I agree with Gerhard, when he says that "it is certainly 
not our task to prevent apache misconfigurations". But in some extend that is 
the Microsoft way: "we cannot help it that people install insecure apps / 
plugins". In some extend. 

We should try to be as secure as possible in all configurations, in all 

So killing MIME magic does not sound like a good idea to me. Since it takes 
our biggest upload securtiy away. 
Unless I am comlpetely wrong about the MIME, and in that case I sould love 
some explanation :)

 [ Bèr Kessels | Drupal services ]

More information about the development mailing list