killing mime magic (was: Re: [development] Drupal 4.7 release
schedule)
Karoly Negyesi
karoly at negyesi.net
Wed Jan 18 10:39:20 UTC 2006
> So killing MIME magic does not sound like a good idea to me. Since it
> takes
> our biggest upload securtiy away.
> Unless I am comlpetely wrong about the MIME, and in that case I sould
> love
> some explanation :)
Little security is gained by using MIME magic. It's being used so that
it's a bit harder (not much) to upload doctored MIME type stuff... The
real security is in the following lines which adds .txt to everything text.
If you upload a .GIF which is not an image but an XSS JS and the MIME is
text/plain so that IE will go guessing MIME type be it damned forever then
if (((substr($file->filemime, 0, 5) == 'text/' will stop the parade.
I am prety confident about losing this recently introduced functionality.
Regards
NK
More information about the development
mailing list