-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
On 1/28/19 3:58 PM, Brion Vibber wrote: > Years ago, we added security checks for IE 5/6/7 to work around > IE's mime type sniffing: if you went to view a .png file directly > in IE (as opposed to in an <img>) the browser would check the first > few bytes of the file to detect its type, overriding the HTTP > Content-Type header. HTML would be detected with a higher priority > than the actual image formats, making it possible to create an > actual .png image which when viewed as an image looked like an > image, but when viewed as a web page was interpreted as HTML, > including any embedded JavaScript. Tim wrote a nice blog post about how he reverse-engineered this: <https://tstarling.com/blog/2008/12/secure-web-uploads/>. I don't have any comments on whether it's still needed, but if it's determined that MediaWiki can drop the checks, I'd like to see it turned into a PHP library...mostly because it's some neat code. - -- Legoktm -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE2MtZ8F27ngU4xIGd8QX4EBsFJpsFAlxP+W4ACgkQ8QX4EBsF Jps8hRAAvU19l6PPh7twy4JQyeHHzEs6AIVXXmQ9HhXjDoV+zu6EpqUO/SW1dxMc sjFiqrTwkdvKhthgevXbjLu9oO0HDVcosV01vdo0qt+p5ZO1Lave6QMWbkbfn9vk rdQ8vEuN/s0NWaXQcYnVHIF+ERwMQ8wR1+xWFZ6H9i7ID03oPVtwrWeDbPivq6n/ hsX+BP8ZOaYvaOH/pCC4Z1dIcaJvD8Wc+3fQiW9BgmfFKHaPT/ZrnggyYKHKDyX9 eJl9oq2jSJ9AefMJVmyEufnctEtFOmJCW/Tv0gmrKgNhnvHYb4FMf5Mwe8HMglVY kKzpQkkNW34xpBvUKeeqPX2GV6MkbQMqsL9bLgAesv+VFxEo7ULYON47drTzyMzo K9MY1ypxqTXEyleXmKBKKsw6P5So13vfKrT4iTJnVNJiu9G+LaEr6p34HcVi8JUn wA1im7UbJ4TeQxiLwe7KNihggXN4AtWGAxszqYXDs9scLk7Wz5eghqIGGijlnmHf xzyPxhmiUB/KaaNQXNR+3kKNW5wLBuLOAubg1ZjnSEf3+V3j4ZIT9UFGebz0p0iv Akm/WnMs8R/tUlGOOX3+Pg78cJTVRtCy6CSUyVA53GqUAae++rvQelP5xa5eyt4r mQhnDQlJaiDjcWe1kip+I5c7WcUVIc1rnsrukb2eAOjH4Dkr7G4= =fcwi -----END PGP SIGNATURE----- _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
