Which version of ExtFile are you using? Which OS? ExtFile has some strange hacks to guess the extension it should use. If it is unable to determine the content type from the upload, it would set in to "application/octet-stream" (which is OK so far), and then pass this wrong finding to guess_extension function of mimetypes module chances are that it will return .obj as extension. Whatever. But then ExtFile does the following:

           mime_ext = guess_extension(content_type or self.content_type)
           if mime_ext is not None:
               if mime_ext in ('.jpeg', '.jpe'):
                   mime_ext = '.jpg'   # for IE/Win :-(
               if mime_ext in ('.obj',):
                   mime_ext = '.exe'   # b/w compatibility
                   id_name = id_name + id_ext
               id_ext = mime_ext

well. I would really like to know what does this "b/w" mean in this context? Not black&white for sure :-). The good news is that you can simply change this .exe into whatever you like, the name of the repository file really doesn't matter and I agree .exe is a scary choice, especially if you are using one very popular operating system.


P.S. Looks like a warm/backdoor actually ;-) heh, Gregor? ;)

Palermo, Tom wrote:

I am working on a project using ExtFile. Lately, when uploading MS Word files, they get uploaded to the file system as .exe files (eg. test.doc becomes test.exe) and the content_type is set to application/octet-stream instead of application/msword. Sometimes the content_tpye is correct but the file extension is still set to .exe. Does anyone know what could be causing this? Is there a config setting in ExtFile that's doing this? Any ideas would be much appreciated. Thanks,

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to