Re: new mime detection approach

From: Julien Olivier <julo altern org>
To: Mattias Eriksson <snaggen acc umu se>
Cc: Nautilus <nautilus-list gnome org>
Subject: Re: new mime detection approach
Date: Thu, 15 Jan 2004 07:56:17 +0000

On Thu, 2004-01-15 at 07:37, Mattias Eriksson wrote:
> I see one security flaw with this solution and it is that the user might
> be fooled into running trojans and other kind of evil programs. If I
> send a user a executable with a .mp3 extension or .gif extension, it is
> detected according to the suffix. The user wants to taka a look at it
> and double-click the file. Now a sniff is performed and it is detected
> it is an executable and the file is run. Do we really want this?
> 

I guess (hope) the idea is not to directly run the script/executable but
to warn the user that the file she assumed was a MP3 is actually an
executable file. I don't know if such a warning would be enough to
prevent users from hurting themselves...

Maybe a solution would to totally refuse to run a script/executable
whose extension doesn't match its mime-type (except if the file doesn't
have any extension). Hence users would have to rename the file before
running it.

-- 
Julien Olivier <julo altern org>

References:
- new mime detection approach
  - From: Alexander Larsson
- Re: new mime detection approach
  - From: Mattias Eriksson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]