This gets back to the question of the scope of the document. Does it, or does it not, handle sniffing of arbitrary blobs of data that come in without any content-type, blobs of data labeled application/octet-stream, and data coming via ftp (through ftp URIs) or thumb drives or mounted NFS file systems or whatever? Does it, or does it not, handle sniffing rules inside ZIP packaged web applications?
If it does, then sniffing should cover everything that is sniffable, including almost all MIME types -- you say "most MIME types that get registered don't need sniffing rules", I don't know what the percentage is, but after all, don't you want to be able to discover file types?? Of course, maybe that broad applicability of sniffing isn't appropriate, but then ... where's are the boundaries? Which situations are in scope vs. not? And don't some of the "in-scope" situations need almost all MIME types to be sniffable? Larry -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Adam Barth Sent: Tuesday, October 25, 2011 9:00 PM To: Tobias Gondrom Cc: [email protected] Subject: Re: [websec] Issue 17: Registry for magic numbers Yeah, I think we're much better off creating a new registry rather than using the MIME registry. The truth is that most MIME types that get registered don't need sniffing rules. The only ones that need it are the legacy ones and the ones browser vendor cause to need it because of the prisoner's dilemma in the browser market. Adam On Tue, Oct 25, 2011 at 8:52 PM, Tobias Gondrom <[email protected]> wrote: > <hat="individual"> > For me the point is, currently we have a table in the document, which > inside an RFC is rather static and hard to extend. > So it looks like a good case for a registry to allow for extendibility > for new mime-types. (e.g. we keep the table in the document, create an > IANA registry, copy the values to the registry and allow for future > entries by expert review) That can either be added to the current > Mime-type registry, or we create a new one (e.g. within the websec > namespace) with only these elements. > > Just my 5cents. > > Tobias > > > > On 25/10/11 05:23, Adam Barth wrote: >> >> On Mon, Oct 24, 2011 at 9:07 PM, "Martin J. Dürst" >> <[email protected]> wrote: >>> >>> On 2011/10/25 11:21, Adam Barth wrote: >>>> >>>> http://trac.tools.ietf.org/wg/websec/trac/ticket/17 refers to an >>>> IANA registry with magic numbers for various media types. I wanted >>>> to compare them to what's in the draft, but I couldn't find it. I >>>> found the media type registry, e.g., for images: >>>> >>>> http://www.iana.org/assignments/media-types/image/index.html >>>> >>>> but I don't see any magic numbers. Would someone be willing to >>>> point me in the right direction? >>> >>> They are in the templates. To get the template for a registration, >>> start at the overview page >>> (http://www.iana.org/assignments/media-types/index.html). >>> >>> Then go to the page that lists all the registration for a give top >>> level, e.g. >>> http://www.iana.org/assignments/media-types/image/index.html for images. >>> >>> Then look at each registration template (click on the link in the >>> left column, or in the right column if the left one doesn't have a >>> link and the right one is to an RFC). You may then find a magic >>> number in the registration template. As an example, for image/jp2, >>> the template is at >>> http://www.iana.org/assignments/media-types/image/jp2. >>> >>> But it looks like earlier templates didn't have a field for a magic >>> number, and this and the reasons Anne gave make this information >>> helpful for cross-checking, but not much more. >> >> == Images == >> >> PNG has a registration template >> <http://www.iana.org/assignments/media-types/image/png>, but lacks a >> signature. >> JPEG doesn't have a template. >> GIF doesn't have a template. >> BMP isn't even registered. >> WEBP isn't even registered. >> ICO has a registration template >> <http://www.iana.org/assignments/media-types/image/vnd.microsoft.icon >> > >> and has the correct signature. Yay! >> >> == Text == >> >> HTML lacks a registration template. >> >> == Application == >> >> PDF doesn't have a template. >> Postscript doesn't have a template. >> OGG doesn't have a template. >> RAR isn't even registered. >> ZIP has a registration template >> <http://www.iana.org/assignments/media-types/application/zip>, but >> lacks a signature. >> GZIP isn't even registered. >> RSS isn't even registered. >> Atom lacks a registration template. >> >> == Audio == >> >> WAV isn't even registered. >> >> == Video == >> >> MP4 lacks a registration template. >> WebM isn't even registered. >> >> This does not look like a promising approach. Note: I haven't even >> looked through all the registrations to see how many have signatures >> that we shouldn't be using. >> >> Adam >> _______________________________________________ >> websec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/websec > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
