killing mime magic (was: Re: [development] Drupal 4.7 release schedule)

Bèr Kessels ber at webschuur.com
Wed Jan 18 11:19:51 UTC 2006


Op woensdag 18 januari 2006 11:39, schreef Karoly Negyesi:
> Little security is gained by using MIME magic. It's being used so that  
> it's a bit harder (not much) to upload doctored MIME type stuff... The  
> real security is in the following lines which adds .txt to everything text.

Mime is indeed just a small improvement. but as stated before: we already have 
quite little seccurity: and 0.01 is indeed very small factor of 10. 10 + 0.01 
is still ~10. but 0.01 added to 0.01 dubles the number 0.01 +0.01 = 0.02.In 
other words: it was a significant improvement, only because we (drupal) do 
far too little (security wise) in uploads and file.inc. Adding a small 
improvement to very little security makes it significantly more secure :)

> If you upload a .GIF which is not an image but an XSS JS and the MIME is  
> text/plain so that IE will go guessing MIME type be it damned forever then
>   if (((substr($file->filemime, 0, 5) == 'text/'  will stop the parade.

our .txt replacement is quite insecure. first and for all because it does the 
(never ever allowed in security land so I am told) opt-in security:
Instead of only allowing certain known files to *not* be rewritten, it 
rewrites only a small subset of stuff that is possible runnable on a server. 
what about jar, rhtml (ruby), python etc. They are all let trough. we leave 
it to the admins to configure stuff corerctly, and don't really help them. 

However; this is all part of betteruplaod plans.

But I am fine with you removing it. file.inc needs a lot of work anyway. So 
dioes uplod.module. Adding a little more work to that will not make a huge 
difference. People who are really concerned about their security should not 
lean on uplaod and file.inc anyway, but should add scripts and so behind it, 
on the server :)

I was only raising this concern, because you are voting for removing a part of 
the little security we do have. 
-- 
 PGP ber at webschuur.com
  http://www.webschuur.com/sites/webschuur.com/files/ber_webschuur.asc
 PGP berkessels at gmx.net
  http://www.webschuur.com/sites/webschuur.com/files/ber_gmx.asc


More information about the development mailing list