Quoting Dan Kaminsky <danat_private>: > Mozilla will occasionally render downloads from a scripted backend as > plain text. It's really pretty annoying, correct behavior or not. Granted. And the solution is to either fix the backend (best) or prompt the user if they would like to take a non-standard action. > All things being equal, I'll go with correct behavior being first that > which matches what is presented to the user in the title bar, using > standard (Microsoftian!) in-band filename notation, then if nothing > usable is there, use the MIME-type as a hint. In such a circumstance: This is just plain wrong. Just because it works for microsoft users doesn't mean it works for the rest of the world. At least until microsoft really does take over the world and the rest of us go away. > foobar.txt is always read as text. Okay. So what is foobar.text read as? > foobar.html is always read as html. But what if I don't want it read as html? > foobar.php and foobar.php, which really *should* be foobar.html because > -- dear god, they contain html -- can use the MIME-type to hint > themselves into HTML parsing. But what if -- dear god -- it contains php and not html? > foobar.gif is always read as gif. Okay. > a javascript virus is always obviously either javascript(foo.js) or > parsed as a gif(foo.gif). But what if I don't want it parsed at all? > Importantly, I cannot concieve of a circumstance in which this can be > described incorrect behavior. Okay, here's the crux of the problem. Microsoft MSIE thinks that when a web page wants to download a file called sample.com it must be an Microsoft (DOS) executable and tries to execute it as such, even though I told it that it was a text/plain or application/octet-stream file. The problem is, it is really a OpenVMS command file, which is a text/plain file, or at best an OpenVMS executable, and Microsoft/MSIE file. So executing it (which MSIE does) is not only inappropriate/undesirable, but it could be totally disasterous! Same for Microsoft thinking that *.doc is a word document, when other operating systems have been using *.doc for other purposes for years. Same for *.dir, *.exe, etc. Point is, not all OS platforms use the same file extensions, so if one decides to force its file extensions on the user, it will cause problems with people who use multiple OS platforms. > to view the previous format, not the latter. GIFs can't exploit your > system. Flash files can, just like any executable. That is pure fud. > We're seeing a reasonably steady stream of "x posing as y to get around > z restriction" attacks made available specifically because filetype > handling is being hidden behind a user-opaque format standard that > places the type of a file far outside the file itself. So? How is this different that the exploits/viruses/restriction-bypasses by using filename extensions (like something.xls.txt or something.exe.txt)? > I expect the exploit stream will eventually lead to MIME-type > deprecation. I seriously doubt it. And it surely won't be replaced by file extensions which suffer most all the same problems and additional problems also. > Yours Truly, > > Dan Kaminsky > DoxPara Research > http://www.doxpara.com -- Eric Rostetter The Department of Physics The University of Texas at Austin "TAD (Technology Attachment Disorder) is an unshakable, impractical devotion to a brand, platform, product line, or programming language. It's relatively harmless among the rank and file, but when management is afflicted the damage can be measured in dollars. It's also contagious -- someone with sufficient political clout can infect an entire organization." --"Enterprise Strategies" columnist Tom Yager.
This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 08:05:13 PDT