On Sun, Sep 08, 2002 at 12:47:47AM -0400, Dan Merillat wrote:
>
> > Or just replace < and > with one of these set of similar looking characters
> > (I think the last 2 are non-Unicode characters which can be shown in most
> > browsers without prompting to download silly extra packs) ��??����
>
> Like < and >, perhaps?
>
> It dosn't matter, though. IE is going to second-guess the filetype and interpret
> HTML no-matter what.
>
> The only way for them to be safe is to allow image/{gif/jpeg/png/bmp} (AND NO OTHERS)
> text/html and text/plain (which we should probably promote to HTML then
> htmlentityize it.
>
> Here's the anonymity risks:
>
> 1) Image/somethingwedontrecognize <-- IE, netscape like to load "plugins" for
> things it dosn't recognize. Someone could compromise the download server for
> something obscure (AOL .art format, for instance) then check referer documents
> for freenet URLs. Not sure how possible this is as I don't know what all the
> browsers send.
>
> 2) {video,audio}/*: As mentioned before, some formats allow redirecting to
> URLs at the end. Also, codec registry. Even "safe" types like .wav are
> overridden as soon as IE sees the first few bytes of a .wma file, and dumps
> it into media player.
>
> Safest bet: squash into application/octet stream (force download)
>
> 3) CSS: There's only a few ways to specify a URI in standard CSS, so we should be
> able to filter that type safely.
We do. Oh, and the rest of your mail says essentially what I said in the
email titled "sarcasm".
>
> 4) text/plain <-- mangle as described above. Too many risks, and the end-user
>experience
> will be the same. (Wrap in <pre></pre> for good measure)
>
> 5) text/html: We do a good job on this, with a few small loopholes.
>
> "But it shouldn't be in freenet!" I agree, 110%. Fproxy should spin into it's own
>side
> project, hooked into freenet ONLY via the FCP port. This convieniently means that
>any
> "internal" hooks (Build #, etc) would have to be exposed to other toolwriters.
>
> --Dan
>
>
> _______________________________________________
> devl mailing list
> [EMAIL PROTECTED]
> http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl
> -- Matthew Toseland [EMAIL PROTECTED] [EMAIL PROTECTED] Freenet/Coldstore open source hacker. Looking for $coding (I'm cheap)
msg03895/pgp00000.pgp
Description: PGP signature
