killing mime magic (was: Re: [development] Drupal 4.7 release
ber at webschuur.com
Wed Jan 18 11:19:51 UTC 2006
Op woensdag 18 januari 2006 11:39, schreef Karoly Negyesi:
> Little security is gained by using MIME magic. It's being used so that
> it's a bit harder (not much) to upload doctored MIME type stuff... The
> real security is in the following lines which adds .txt to everything text.
Mime is indeed just a small improvement. but as stated before: we already have
quite little seccurity: and 0.01 is indeed very small factor of 10. 10 + 0.01
is still ~10. but 0.01 added to 0.01 dubles the number 0.01 +0.01 = 0.02.In
other words: it was a significant improvement, only because we (drupal) do
far too little (security wise) in uploads and file.inc. Adding a small
improvement to very little security makes it significantly more secure :)
> If you upload a .GIF which is not an image but an XSS JS and the MIME is
> text/plain so that IE will go guessing MIME type be it damned forever then
> if (((substr($file->filemime, 0, 5) == 'text/' will stop the parade.
our .txt replacement is quite insecure. first and for all because it does the
(never ever allowed in security land so I am told) opt-in security:
Instead of only allowing certain known files to *not* be rewritten, it
rewrites only a small subset of stuff that is possible runnable on a server.
what about jar, rhtml (ruby), python etc. They are all let trough. we leave
it to the admins to configure stuff corerctly, and don't really help them.
However; this is all part of betteruplaod plans.
But I am fine with you removing it. file.inc needs a lot of work anyway. So
dioes uplod.module. Adding a little more work to that will not make a huge
difference. People who are really concerned about their security should not
lean on uplaod and file.inc anyway, but should add scripts and so behind it,
on the server :)
I was only raising this concern, because you are voting for removing a part of
the little security we do have.
PGP ber at webschuur.com
PGP berkessels at gmx.net
More information about the development