>>>>> "DN" == Dale Newfield <[EMAIL PROTECTED]> writes:
DN> Just want to make sure that the reason you're thinking about
DN> this is the same reason I am: I don't want someone mailing
DN> something to a mailing list forged just right so that a file
DN> with an extension they specify lands on my web server and then
DN> gets not just served from that box, but *executed* by the web
DN> server on it's way out. The most recent content system I
DN> built does indeed use the mime-type, and builds the filename
DN> extension from it. If someone sends a file abcdefg.cgi as
DN> image/gif, I will write out Q/N000-N999/X.Y.gif (where
DN> N=(X%1000), and Q, X, Y are determined by other parts of the
DN> system). The filename they send is completely dropped, and I
DN> get to filter on mime-type, assured that since the web server
DN> decides mime-type from extension, it will decide the same
DN> mime-type I was told. Sure, someone can upload stuff that
DN> might be malicious, but since I'm assured it'll never be
DN> executed, I'm not worried.
Scrubber.py believes the Content-Type: over the file extension.
Python has a module called mimetypes which translates between
content type and file extension, so it uses that to calculate the
extension on the file it saves in the file system. It also ignores
any path information that might be in the filename parameter, so it
basically just uses the filebase. It'll fall back to .bin if it can't
calculate a better file extension.
-Barry
_______________________________________________
Mailman-Developers mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman-21/listinfo/mailman-developers
