Once we add an extension, there will be default mime types in server implementations for it for any webroot file. Where's the gain then? A dropped file will just use the configured type. If you want to keep the protection, we'll have to check the content type but don't allow an extension, which would be bad for some servers to configure as others pointed out, mainly IIS.
Regards, Niklas 2015-11-13 2:12 GMT+01:00 Peter Eckersley <[email protected]>: > I should have added another option, 3b, drop the Content-Type > restriction but allow file extensions. > > Sounds like that would be a win on IIS. > > On Thu, Nov 12, 2015 at 05:05:53PM -0800, Martin Thomson wrote: > > On 12 November 2015 at 16:44, Peter Eckersley <[email protected]> wrote: > > > But is 3 the best answer? > > > > Of those presented, I think so. I know that this isn't a great answer > > (it's bad already, so bad must be OK), but being able to drop things > > into .well-known opens a raft of other interesting attacks. > > > > More seriously, I think that the other options all have deployment > > complications that far outweigh the marginal benefit that extra > > checking might provide. > > > > _______________________________________________ > > Acme mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/acme > > > > -- > Peter Eckersley [email protected] > Chief Computer Scientist Tel +1 415 436 9333 x131 > Electronic Frontier Foundation Fax +1 415 436 9993 > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
