Re: [PHP] IE, Word documents and Content Types
At 11:36 PM +0100 1/4/07, Jochem Maas wrote: Roman Neuhauser wrote: > # [EMAIL PROTECTED] / 2007-01-03 15:48:31 -0600: >> On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote: I have a form where a user can upload different types of documents. A valid file type they will be able to upload is a Word Document. However, when I view the $_FILES 'type' of a word document in Internet Explorer, it says it's type 'application/octet-stream' instead of 'application/msword' or 'application/vnd.ms-word'. It works fine in Firefox and Safari. Any ideas why IE does this and/or how I might be able to get around this? IE does this because MS is not interested in interoperability. > > Back this statements with some references, will you? richard's practical experience in dealing with this things is nonsense? he has been dealing with this kind of stuff [I'm referring just to his experience/work with php for the purpose of this reply] for longer than most of us have even heard of php - and for companies that most of us would give our right arm to work for. his rant is based on lots of experience on how to make things that work, rather than making that should work because they adhere to any/every given standard (but don't work because of any number of real world situations) I would strongly suggest you tone down your rather acidic comments directed at richard (this was not the first) - he is one of the most valued and respected people on this list, he's helped more people improve their skills than most of us have written lines of code ... throwing random nasties at him really won't win you any friends, conversly richard has made *lots* of friends within the php community. he has earned the right to occasionally offer his personal slant on a situation. call me protective, I don't mind, richard has earned my respect twice (and then some) ... and this is the result. if you have something serious to add or refute with regard to richard input then do it properly - if you end up teaching him something, you'll find that he is very much open to taking what you have to offer on board and even go so far as to promptly adjust an 'advice'/'article' he might have lying around according to his newly aquired knowledged. Amen to that -- but I think your words fall on troll's ears. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IE, Word documents and Content Types
At 2:09 AM + 1/5/07, Roman Neuhauser wrote: ... the opening remark was completely unwarranted, unasked for. You mean like the closing remark in your sig? What do you know about unwarranted and unasked for? tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IE, Word documents and Content Types
On Thu, January 4, 2007 8:09 pm, Roman Neuhauser wrote: > # [EMAIL PROTECTED] / 2007-01-04 23:36:44 +0100: >> Roman Neuhauser wrote: >> > # [EMAIL PROTECTED] / 2007-01-03 15:48:31 -0600: >> >> On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote: >> >>> I have a form where a user can upload different types of >> documents. A >> >>> valid file type they will be able to upload is a Word Document. >> >>> However, when I view the $_FILES 'type' of a word document in >> Internet >> >>> Explorer, it says it's type 'application/octet-stream' instead >> of >> >>> 'application/msword' or 'application/vnd.ms-word'. It works fine >> in >> >>> Firefox and Safari. >> >>> >> >>> Any ideas why IE does this and/or how I might be able to get >> around >> >>> this? >> >> IE does this because MS is not interested in interoperability. >> > >> > Back this statements with some references, will you? >> >> do a quick google on anti-trust or something. there is plenty of >> evidence >> that Microsoft has and does continue to hamper and/or ignore >> interoperability >> on many fronts. > > Yes I know. I don't care. > > I was asking if he could back his statement that IE sends CT: a/o-s to > harm interoperability. I don't care what MS did elsewhere. It's a theory, more than fact, obviously, as I wasn't involved in the meetings where MS engineers decided to design/code this specific bit of IE. Consider these facts, however: MS has brain-dead simple .xyz -> file-type-handler Operating System. '.doc' extensions could have been trivially mapped to 'application/msword' or 'application/vnd.ms-word' Instead, IE falls back to a generic and content-devoid 'application/octet-stream' I suppose we could attribute this to sheer stupidity, but I'm going with malice as the operating factor. > I'm simply > fed up with his bashing MS for artificial reasons (like his foaming > over > the allegedly MS-originated Content-Disposition header). The "Content-Disposition" header was originated in MIME email. It was then abused by MS IIS for HTTP, for which it was never intended. And it *still* doesn't work across the board, no matter who made it up. > *Especially* as the value carries no information since it's under the > control of a (potentially) malicious user (he later mentioned that > himself)! The net effect is that a naive programmer who would > otherwise > merrily fall prey to an exploit has to DTRT, which is inspect the > file. > > That makes the whole thing a non-issue, and the opening remark was > completely unwarranted, unasked for. I am sorry you find my posts inflammatory and non-issue with unwarranted and unasked for information. Please feel free to use the delete key. >> >> Note that application/octet-stream is valid for any kind of >> document >> >> whatsoever for an upload. For output, that would require the >> browser >> >> to download the document rather than attempt to display it. More >> on >> >> that here: >> >> http://richardlynch.blogspot.com/ >> > >> > To the OP: read that rant for amusement, but don't use the >> "advice" >> > rlynch gives, it's nonsense. If you don't believe me, check the >> RFCs >> >> richard's practical experience in dealing with this things is >> nonsense? > > It's "advice", not "experience". > >> he has been dealing with this kind of stuff [I'm referring just to >> his >> experience/work with php for the purpose of this reply] for longer >> than >> most of us have even heard of php - and for companies that most of >> us >> would give our right arm to work for. his rant is based on lots of >> experience >> on how to make things that work, rather than making that should work >> because >> they adhere to any/every given standard (but don't work because of >> any number >> of real world situations) > > I already wrote it: > >> > If you don't believe me, check the RFCs > > Really, please do it, I beg you. Read the RFCs I quoted in the last > installment of the Content-Disposition discussion. Please take the time to figure out WHY QualComm wrote that RFC. Pay particular attention to the history of MIME EMAIL and HTTP server headers. Also take note: QualComm does not, to the best of my knowledge, have any invested stake in HTTP servers. MS does. MIME Email, QualComm has much invested. As with any documentation, pay attention to the players, and where their money comes from, while you read. > Richard Lynch: > >> It *HAS* to prompt you for a filename and do a download, by the >> original HTTP RFC spec. Please read more RFCs until you find the >> one >> about "application/octet-stream" > >> If the UA opens up "application/octet-stream" it is in direct >> violation of one of the few HTTP standards that every other UA on >> the >> planet actually honors! > > The HTTP standard: > > Nothing, zip, nada. HTTP doesn't generally discuss presentation of > entities > contained in responses. Er. One of the earliest HTTP RFCs specifically states that the client program MUST treat application/octet-st
Re: [PHP] IE, Word documents and Content Types
# [EMAIL PROTECTED] / 2007-01-04 23:36:44 +0100:
> Roman Neuhauser wrote:
> > # [EMAIL PROTECTED] / 2007-01-03 15:48:31 -0600:
> >> On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote:
> >>> I have a form where a user can upload different types of documents. A
> >>> valid file type they will be able to upload is a Word Document.
> >>> However, when I view the $_FILES 'type' of a word document in Internet
> >>> Explorer, it says it's type 'application/octet-stream' instead of
> >>> 'application/msword' or 'application/vnd.ms-word'. It works fine in
> >>> Firefox and Safari.
> >>>
> >>> Any ideas why IE does this and/or how I might be able to get around
> >>> this?
> >> IE does this because MS is not interested in interoperability.
> >
> > Back this statements with some references, will you?
>
> do a quick google on anti-trust or something. there is plenty of evidence
> that Microsoft has and does continue to hamper and/or ignore interoperability
> on many fronts.
Yes I know. I don't care.
I was asking if he could back his statement that IE sends CT: a/o-s to
harm interoperability. I don't care what MS did elsewhere. I'm simply
fed up with his bashing MS for artificial reasons (like his foaming over
the allegedly MS-originated Content-Disposition header).
*Especially* as the value carries no information since it's under the
control of a (potentially) malicious user (he later mentioned that
himself)! The net effect is that a naive programmer who would otherwise
merrily fall prey to an exploit has to DTRT, which is inspect the file.
That makes the whole thing a non-issue, and the opening remark was
completely unwarranted, unasked for.
> >> Note that application/octet-stream is valid for any kind of document
> >> whatsoever for an upload. For output, that would require the browser
> >> to download the document rather than attempt to display it. More on
> >> that here:
> >> http://richardlynch.blogspot.com/
> >
> > To the OP: read that rant for amusement, but don't use the "advice"
> > rlynch gives, it's nonsense. If you don't believe me, check the RFCs
>
> richard's practical experience in dealing with this things is nonsense?
It's "advice", not "experience".
> he has been dealing with this kind of stuff [I'm referring just to his
> experience/work with php for the purpose of this reply] for longer than
> most of us have even heard of php - and for companies that most of us
> would give our right arm to work for. his rant is based on lots of experience
> on how to make things that work, rather than making that should work because
> they adhere to any/every given standard (but don't work because of any number
> of real world situations)
I already wrote it:
> > If you don't believe me, check the RFCs
Really, please do it, I beg you. Read the RFCs I quoted in the last
installment of the Content-Disposition discussion.
Richard Lynch:
> It *HAS* to prompt you for a filename and do a download, by the
> original HTTP RFC spec. Please read more RFCs until you find the one
> about "application/octet-stream"
> If the UA opens up "application/octet-stream" it is in direct
> violation of one of the few HTTP standards that every other UA on the
> planet actually honors!
The HTTP standard:
Nothing, zip, nada. HTTP doesn't generally discuss presentation of entities
contained in responses.
Richard Lynch:
> Not to mention that it's a STUPID thing for MS IE to have done in the
> first place, to re-purpose a MIME email header for HTTP.
The HTTP standard:
HTTP/1.1 uses many of the constructs defined for Internet Mail (RFC
822 [9]) and the Multipurpose Internet Mail Extensions (MIME [7]) to
allow entities to be transmitted in an open variety of
representations and with extensible mechanisms. However, RFC 2045
discusses mail, and HTTP has a few features that are different from
those described in RFC 2045.
Indeed, how stupid of the HTTP authors to repurpose the MIME Content-Type
header! The "application/octet-stream" names a *MIME type*, FFS! Those
repurposes weren't stupid?
Richard Lynch:
> It doesn't even make sense, since Content-Disposition has a MIME type
> embedded in it, which may or may not match the Content-type of the
> HTTP Request!
RFC 2183 defines the Content-Disposition header using a grammar which
does not include content type:
disposition := "Content-Disposition" ":"
disposition-type
*(";" disposition-parm)
disposition-type := "inline"
/ "attachment"
/ extension-token
; values are not case-sensitive
disposition-parm := filename-parm
/ creation-date-parm
/ modification-date-parm
/ read-date-parm
/ size-parm
/ parameter
In Richard's own words: it wouldn't even make sense, since MIME defines
the Content-Type header!
I hope it's
Re: [PHP] IE, Word documents and Content Types
Roman Neuhauser wrote: > # [EMAIL PROTECTED] / 2007-01-03 15:48:31 -0600: >> On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote: >>> I have a form where a user can upload different types of documents. A >>> valid file type they will be able to upload is a Word Document. >>> However, when I view the $_FILES 'type' of a word document in Internet >>> Explorer, it says it's type 'application/octet-stream' instead of >>> 'application/msword' or 'application/vnd.ms-word'. It works fine in >>> Firefox and Safari. >>> >>> Any ideas why IE does this and/or how I might be able to get around >>> this? >> IE does this because MS is not interested in interoperability. > > Back this statements with some references, will you? do a quick google on anti-trust or something. there is plenty of evidence that Microsoft has and does continue to hamper and/or ignore interoperability on many fronts. > >> Note that application/octet-stream is valid for any kind of document >> whatsoever for an upload. For output, that would require the browser >> to download the document rather than attempt to display it. More on >> that here: >> http://richardlynch.blogspot.com/ > > To the OP: read that rant for amusement, but don't use the "advice" > rlynch gives, it's nonsense. If you don't believe me, check the RFCs richard's practical experience in dealing with this things is nonsense? he has been dealing with this kind of stuff [I'm referring just to his experience/work with php for the purpose of this reply] for longer than most of us have even heard of php - and for companies that most of us would give our right arm to work for. his rant is based on lots of experience on how to make things that work, rather than making that should work because they adhere to any/every given standard (but don't work because of any number of real world situations) I would strongly suggest you tone down your rather acidic comments directed at richard (this was not the first) - he is one of the most valued and respected people on this list, he's helped more people improve their skills than most of us have written lines of code ... throwing random nasties at him really won't win you any friends, conversly richard has made *lots* of friends within the php community. he has earned the right to occasionally offer his personal slant on a situation. call me protective, I don't mind, richard has earned my respect twice (and then some) ... and this is the result. if you have something serious to add or refute with regard to richard input then do it properly - if you end up teaching him something, you'll find that he is very much open to taking what you have to offer on board and even go so far as to promptly adjust an 'advice'/'article' he might have lying around according to his newly aquired knowledged. > yourself. because something is set out in an RFC doesn't necessarily mean it's been implemented either fully or correctly - regardless of whether a given implementation is 'broken' deliberately or accidentally. > > http://marc.theaimsgroup.com/?l=php-general&m=116626545820302&w=2 > http://marc.theaimsgroup.com/?l=php-general&m=116649130605303&w=2 > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IE, Word documents and Content Types
On Wed, January 3, 2007 4:28 pm, Jochem Maas wrote: > I guess this is not the time to bring up the discussion on including > the > fileinfo PECL extension into the core as standard thats being waged on > the internals > mailing list (or that mime magic seems to have been magically > relegated to the dustbin)? I almost included that, but figured Philip would be able to hack something up, whether PHP's built-in mime magic is there or not, and whether it gets relegated to PECL and "disappears" or not, and so on. The biggest effect of it moving to PECL, imho, is on those who have to distribute file-upload receiving scripts to servers they do not control. You can always hack something on your own server, or even re-write mime- magic in PHP (ugh) if you really have to... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IE, Word documents and Content Types
# [EMAIL PROTECTED] / 2007-01-03 15:48:31 -0600: > On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote: > > I have a form where a user can upload different types of documents. A > > valid file type they will be able to upload is a Word Document. > > However, when I view the $_FILES 'type' of a word document in Internet > > Explorer, it says it's type 'application/octet-stream' instead of > > 'application/msword' or 'application/vnd.ms-word'. It works fine in > > Firefox and Safari. > > > > Any ideas why IE does this and/or how I might be able to get around > > this? > > IE does this because MS is not interested in interoperability. Back this statements with some references, will you? > Note that application/octet-stream is valid for any kind of document > whatsoever for an upload. For output, that would require the browser > to download the document rather than attempt to display it. More on > that here: > http://richardlynch.blogspot.com/ To the OP: read that rant for amusement, but don't use the "advice" rlynch gives, it's nonsense. If you don't believe me, check the RFCs yourself. http://marc.theaimsgroup.com/?l=php-general&m=116626545820302&w=2 http://marc.theaimsgroup.com/?l=php-general&m=116649130605303&w=2 -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IE, Word documents and Content Types
hi Richard,
Best Wishes for the new year btw!
Richard Lynch wrote:
> On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote:
>> I have a form where a user can upload different types of documents. A
>> valid file type they will be able to upload is a Word Document.
>> However, when I view the $_FILES 'type' of a word document in Internet
>> Explorer, it says it's type 'application/octet-stream' instead of
>> 'application/msword' or 'application/vnd.ms-word'. It works fine in
>> Firefox and Safari.
>>
>> Any ideas why IE does this and/or how I might be able to get around
>> this?
>
> IE does this because MS is not interested in interoperability.
>
> Note that application/octet-stream is valid for any kind of document
> whatsoever for an upload. For output, that would require the browser
> to download the document rather than attempt to display it. More on
> that here:
> http://richardlynch.blogspot.com/
>
>> I know of 1 or 2 options for sort of bypassing this, but I'd
>> like to hear from the group to see if there's a better,
>> security-conscious idea.
>
> The security-conscious idea is to IGNORE the 'type' in $_FILES,
> because anybody could cram anything they want in to that, and send you
> any kind of virus-laden warez document. :-)
>
> Use Mime Magic or exec("file /path/to/upload", $output, $error) to
> find out what kind of document they REALLY uploaded, regardless of
> what they CLAIM it is in $_FILE['type']
I guess this is not the time to bring up the discussion on including the
fileinfo PECL extension into the core as standard thats being waged on the
internals
mailing list (or that mime magic seems to have been magically relegated to the
dustbin)?
:-)
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IE, Word documents and Content Types
On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote:
> I have a form where a user can upload different types of documents. A
> valid file type they will be able to upload is a Word Document.
> However, when I view the $_FILES 'type' of a word document in Internet
> Explorer, it says it's type 'application/octet-stream' instead of
> 'application/msword' or 'application/vnd.ms-word'. It works fine in
> Firefox and Safari.
>
> Any ideas why IE does this and/or how I might be able to get around
> this?
IE does this because MS is not interested in interoperability.
Note that application/octet-stream is valid for any kind of document
whatsoever for an upload. For output, that would require the browser
to download the document rather than attempt to display it. More on
that here:
http://richardlynch.blogspot.com/
> I know of 1 or 2 options for sort of bypassing this, but I'd
> like to hear from the group to see if there's a better,
> security-conscious idea.
The security-conscious idea is to IGNORE the 'type' in $_FILES,
because anybody could cram anything they want in to that, and send you
any kind of virus-laden warez document. :-)
Use Mime Magic or exec("file /path/to/upload", $output, $error) to
find out what kind of document they REALLY uploaded, regardless of
what they CLAIM it is in $_FILE['type']
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] IE, Word documents and Content Types
Hi. I have a form where a user can upload different types of documents. A valid file type they will be able to upload is a Word Document. However, when I view the $_FILES 'type' of a word document in Internet Explorer, it says it's type 'application/octet-stream' instead of 'application/msword' or 'application/vnd.ms-word'. It works fine in Firefox and Safari. Any ideas why IE does this and/or how I might be able to get around this? I know of 1 or 2 options for sort of bypassing this, but I'd like to hear from the group to see if there's a better, security-conscious idea. Thanks in advance, ~Philip +--+ When you least expect it... expect it! +--+ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
