You got a point, we should chmod 644 (or umask 133) on the file and prevent any leading dot files (like .httpaceess :-), even with that I was a little pissed off that php reacted to the file.
This is going to be bad news, I know I can lock down the paths better but..., "get the extension form mime type" will break too. if it returns a extension that is enabled in the http server or if a list owner turns on one this becomes a security blackhole. More reason to use a white list, and one that can only be a subset from mm_conf.py whitelist. MJM ----- Original Message ----- From: "Dale Newfield" <[EMAIL PROTECTED]> To: "Michael Meltzer" <[EMAIL PROTECTED]> Cc: "Barry A. Warsaw" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, August 14, 2002 9:07 AM Subject: Re: [Mailman-Developers] Scrubber.py confusion, 2.1b3 > On Wed, 14 Aug 2002, Michael Meltzer wrote: > > I kind of like the "get the extension form mime type" but it broke down > > as soon as I tried to attach a "word" document, came up a > > application/octet-stream with only the extension as a clue. I like the > > method but I do not think it will last, we will end back up at lists > > Just want to make sure that the reason you're thinking about this is the > same reason I am: I don't want someone mailing something to a mailing > list forged just right so that a file with an extension they specify lands > on my web server and then gets not just served from that box, but > *executed* by the web server on it's way out. The most recent content > system I built does indeed use the mime-type, and builds the filename > extension from it. If someone sends a file abcdefg.cgi as image/gif, I > will write out Q/N000-N999/X.Y.gif (where N=(X%1000), and Q, X, Y are > determined by other parts of the system). The filename they send is > completely dropped, and I get to filter on mime-type, assured that since > the web server decides mime-type from extension, it will decide the same > mime-type I was told. Sure, someone can upload stuff that might be > malicious, but since I'm assured it'll never be executed, I'm not worried. > > -Dale > _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
