Re: FUD about security and file extensions (was Re: Why file content sniffing sucks)
- From: Charles Goodwin <charlie xwt org>
- To: Gnome List <gnome-list gnome org>
- Subject: Re: FUD about security and file extensions (was Re: Why file content sniffing sucks)
- Date: Fri Dec 26 05:06:00 2003
On Fri, 2003-12-26 at 03:29, Fabio Gomes wrote:
> > A file type is not determined by it's extension. The
> > detection-by-extension ethos is a _hack_.
> Not a hack. IMHO, it's a matter of accuracy. Suffix matching is subject
> to return wrong results on invalid input, while content sniffing is
> subject to return wrong results on _valid_ input.
> This is exactly what I am pointing out at
> A user can fix a badly-named file, but cannot fix a bug in VFS magic.
There are a handful of examples of content sniffing being wrong, and
these are bugs. It sounds like you have a problem mainly with the speed
of bug fixing.
> Not true. The origin of these vulnerabilities are not the fact of user
> visually identifiyng the files as images. The problem is what I've said
> 1. Windows hides the .exe
> 2. Even if windows does not have the .exe, the users are able to execute
> attached programs.
So you're advocating that all users know what .exe means. Oh, and .pl,
.py, .sh, etc etc. Yes, that's really a solution... not.
Or are you advocating that we kill email functionality by disallowing
the manual opening of attachments to protect the user?
Charles Goodwin <charlie xwt org>
Member of the XWT Foundation
The future of the net - www.xwt.org
] [Thread Prev