killing mime magic (was: Re: [development] Drupal 4.7 release
schedule)
Bèr Kessels
ber at webschuur.com
Wed Jan 18 10:26:05 UTC 2006
Op woensdag 18 januari 2006 07:26, schreef Karoly Negyesi:
> These two are cured by killing MIME magic. I am sorry, but that's the best
> we can do.
Note that already we have a potential security breah in our uploads. PHP is
not very good at checking the uploads, Drupal is just a tad worse.
Our server maintainer (a notorious security person) pointed me at it and
proved that it is very easy to misconfigure drupal / or the server so that
one opens up. Now, I agree with Gerhard, when he says that "it is certainly
not our task to prevent apache misconfigurations". But in some extend that is
the Microsoft way: "we cannot help it that people install insecure apps /
plugins". In some extend.
We should try to be as secure as possible in all configurations, in all
environments.
So killing MIME magic does not sound like a good idea to me. Since it takes
our biggest upload securtiy away.
Unless I am comlpetely wrong about the MIME, and in that case I sould love
some explanation :)
Bèr
--
[ Bèr Kessels | Drupal services www.webschuur.com ]
More information about the development
mailing list