A possible hole that I can see goes as follows: Certain browsers employ an algorithm that inspects the first few bytes of incoming content and if it looks like HTML displays as text/html even if the MIME type in the Content-Type: header says it is something else. I suppose that that such a browser receiving a JPEG file constructed, using COMment records etc to make it look and parse enough like an HTML file to fool the browser (whilst also being a valid JPEG file) may well run embedded <script> tags etc. -- Rob. Krul Thomas wrote: > Having used various JPEG formats for about 10 years now, and having worked > along side software developers familiar with the inner workings of the JPEG > format, I have some comments to add to this thread. > > #1 I have never heard of anybody ever having been infected by a JPEG file. >
This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 14:52:53 PST