On Mon, Oct 24, 2011 at 9:07 PM, "Martin J. Dürst" <[email protected]> wrote: > On 2011/10/25 11:21, Adam Barth wrote: >> http://trac.tools.ietf.org/wg/websec/trac/ticket/17 refers to an IANA >> registry with magic numbers for various media types. I wanted to >> compare them to what's in the draft, but I couldn't find it. I found >> the media type registry, e.g., for images: >> >> http://www.iana.org/assignments/media-types/image/index.html >> >> but I don't see any magic numbers. Would someone be willing to point >> me in the right direction? > > They are in the templates. To get the template for a registration, start at > the overview page (http://www.iana.org/assignments/media-types/index.html). > > Then go to the page that lists all the registration for a give top level, > e.g. http://www.iana.org/assignments/media-types/image/index.html for > images. > > Then look at each registration template (click on the link in the left > column, or in the right column if the left one doesn't have a link and the > right one is to an RFC). You may then find a magic number in the > registration template. As an example, for image/jp2, the template is at > http://www.iana.org/assignments/media-types/image/jp2. > > But it looks like earlier templates didn't have a field for a magic number, > and this and the reasons Anne gave make this information helpful for > cross-checking, but not much more.
== Images == PNG has a registration template <http://www.iana.org/assignments/media-types/image/png>, but lacks a signature. JPEG doesn't have a template. GIF doesn't have a template. BMP isn't even registered. WEBP isn't even registered. ICO has a registration template <http://www.iana.org/assignments/media-types/image/vnd.microsoft.icon> and has the correct signature. Yay! == Text == HTML lacks a registration template. == Application == PDF doesn't have a template. Postscript doesn't have a template. OGG doesn't have a template. RAR isn't even registered. ZIP has a registration template <http://www.iana.org/assignments/media-types/application/zip>, but lacks a signature. GZIP isn't even registered. RSS isn't even registered. Atom lacks a registration template. == Audio == WAV isn't even registered. == Video == MP4 lacks a registration template. WebM isn't even registered. This does not look like a promising approach. Note: I haven't even looked through all the registrations to see how many have signatures that we shouldn't be using. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
