On Wed, 14 Aug 2002, Michael Meltzer wrote: > I kind of like the "get the extension form mime type" but it broke down > as soon as I tried to attach a "word" document, came up a > application/octet-stream with only the extension as a clue. I like the > method but I do not think it will last, we will end back up at lists
Just want to make sure that the reason you're thinking about this is the same reason I am: I don't want someone mailing something to a mailing list forged just right so that a file with an extension they specify lands on my web server and then gets not just served from that box, but *executed* by the web server on it's way out. The most recent content system I built does indeed use the mime-type, and builds the filename extension from it. If someone sends a file abcdefg.cgi as image/gif, I will write out Q/N000-N999/X.Y.gif (where N=(X%1000), and Q, X, Y are determined by other parts of the system). The filename they send is completely dropped, and I get to filter on mime-type, assured that since the web server decides mime-type from extension, it will decide the same mime-type I was told. Sure, someone can upload stuff that might be malicious, but since I'm assured it'll never be executed, I'm not worried. -Dale _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
