A combination of file extension and mime type might cover most cases. There are still some bizarre situations where IE will interpret arbitrary text files as html, but I'm not sure what situations that happens in, so checking for certain types of binary files wouldn't do a lot of good.
On Wed, Apr 2, 2008 at 8:05 AM, Chris Chabot <[EMAIL PROTECTED]> wrote: > Some form of security is probably very desirably indeed, however to say > file extension ... i can see a few potential problems for people in the > future with this.. > > Some people don't use extensions (say .html for a html page, .gif for a > gif file etc) but hope that the text/html or image/gif mine type header is > enough for it to work (which it may or may not depending on the client side > and/or server side software used), and in some situations there's no file > extension and no proper mine type, and it can still wok in some situations.. > > In my experience making websites at least i've always found that it was > often better to check the actual file header (using the unix file utility > for instance), then depending on correct mine headers or extensions, that > might well be the case here too ... or am i to open minded about what the > proxy should handle and / or overly cynical that neither the extension and > mime type won't always match the actual file header ? > > -- Chris > > > On Apr 2, 2008, at 3:21 PM, Paul Lindner (JIRA) wrote: > > Open Proxy should only whitelist specific, configurable filename > > extensions > > > > --------------------------------------------------------------------------- > > > > Key: SHINDIG-170 > > URL: https://issues.apache.org/jira/browse/SHINDIG-170 > > Project: Shindig > > Issue Type: Improvement > > Reporter: Paul Lindner > > > > > > The proxy in shindig will proxy anything. This should be changed to > > only allow certain filetypes that are commonly used for embedding in > > gadgets. > > > > The list of allowed (or disallowed?) extensions should be definable in > > syndicator.js and/or CrossServletState > > > > > > > > -- > > This message is automatically generated by JIRA. > > - > > You can reply to this email to add a comment to the issue online. > > > > -- ~Kevin
