killing mime magic (was: Re: [development] Drupal 4.7 release schedule)

Karoly Negyesi karoly at negyesi.net
Wed Jan 18 10:39:20 UTC 2006


> So killing MIME magic does not sound like a good idea to me. Since it  
> takes
> our biggest upload securtiy away.
> Unless I am comlpetely wrong about the MIME, and in that case I sould  
> love
> some explanation :)

Little security is gained by using MIME magic. It's being used so that  
it's a bit harder (not much) to upload doctored MIME type stuff... The  
real security is in the following lines which adds .txt to everything text.

If you upload a .GIF which is not an image but an XSS JS and the MIME is  
text/plain so that IE will go guessing MIME type be it damned forever then  
if (((substr($file->filemime, 0, 5) == 'text/'  will stop the parade.

I am prety confident about losing this recently introduced functionality.

Regards

NK



More information about the development mailing list