Some form of security is probably very desirably indeed, however to
say file extension ... i can see a few potential problems for people
in the future with this..
Some people don't use extensions (say .html for a html page, .gif for
a gif file etc) but hope that the text/html or image/gif mine type
header is enough for it to work (which it may or may not depending on
the client side and/or server side software used), and in some
situations there's no file extension and no proper mine type, and it
can still wok in some situations..
In my experience making websites at least i've always found that it
was often better to check the actual file header (using the unix file
utility for instance), then depending on correct mine headers or
extensions, that might well be the case here too ... or am i to open
minded about what the proxy should handle and / or overly cynical that
neither the extension and mime type won't always match the actual file
header ?
-- Chris
On Apr 2, 2008, at 3:21 PM, Paul Lindner (JIRA) wrote:
Open Proxy should only whitelist specific, configurable filename
extensions
---------------------------------------------------------------------------
Key: SHINDIG-170
URL: https://issues.apache.org/jira/browse/SHINDIG-170
Project: Shindig
Issue Type: Improvement
Reporter: Paul Lindner
The proxy in shindig will proxy anything. This should be changed to
only allow certain filetypes that are commonly used for embedding in
gadgets.
The list of allowed (or disallowed?) extensions should be definable
in syndicator.js and/or CrossServletState
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
