On Wed, Dec 27, 2006 at 03:12:55PM -0500, David F. Skoll wrote: > I've heard rumours that if Windows cannot determine what to do with a > file based on the MIME type or file name, it actually looks at the > "magic values" in the file to determine the file type. If this is the > case (I have no way of knowing), then the only safe workaround is (1).
It is true. See: http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp This was the cause of a recently discovered cross site scripting bug in a LOT of webmail applications (including gmail), when using IE. I'm not aware if this same bug can be hit by common windows MUAs like outlook express, but it would frankly astonish me if there isn't a windows MUA out there that isn't susceptible to this. Or in simple terms: it doesn't make any difference what mime type you specify, if windows thinks it is HTML, it will be rendered as HTML. (workarounds: firefox, and/or Ubuntu (insert your favorite linux distro)). -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
