Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Eric Rostetter (eric.rostetter_at_physics.utexas.edu)
Date: Mon Sep 02 2002 - 22:11:23 CDT
Quoting Dan Kaminsky <dandoxpara.com>:
> Mozilla will occasionally render downloads from a scripted backend as
> plain text. It's really pretty annoying, correct behavior or not.
Granted. And the solution is to either fix the backend (best) or prompt
the user if they would like to take a non-standard action.
> All things being equal, I'll go with correct behavior being first that
> which matches what is presented to the user in the title bar, using
> standard (Microsoftian!) in-band filename notation, then if nothing
> usable is there, use the MIME-type as a hint. In such a circumstance:
This is just plain wrong. Just because it works for microsoft users
doesn't mean it works for the rest of the world. At least until microsoft
really does take over the world and the rest of us go away.
> foobar.txt is always read as text.
Okay. So what is foobar.text read as?
> foobar.html is always read as html.
But what if I don't want it read as html?
> foobar.php and foobar.php, which really *should* be foobar.html because
> -- dear god, they contain html -- can use the MIME-type to hint
> themselves into HTML parsing.
But what if -- dear god -- it contains php and not html?
> foobar.gif is always read as gif.
> parsed as a gif(foo.gif).
But what if I don't want it parsed at all?
> Importantly, I cannot concieve of a circumstance in which this can be
> described incorrect behavior.
Okay, here's the crux of the problem. Microsoft MSIE thinks that when a web
page wants to download a file called sample.com it must be an Microsoft (DOS)
executable and tries to execute it as such, even though I told it that it
was a text/plain or application/octet-stream file. The problem is, it is
really a OpenVMS command file, which is a text/plain file, or at best
an OpenVMS executable, and Microsoft/MSIE file. So executing it (which MSIE
does) is not only inappropriate/undesirable, but it could be totally
Same for Microsoft thinking that *.doc is a word document, when other
operating systems have been using *.doc for other purposes for years.
Same for *.dir, *.exe, etc.
Point is, not all OS platforms use the same file extensions, so if one decides
to force its file extensions on the user, it will cause problems with people
who use multiple OS platforms.
> to view the previous format, not the latter. GIFs can't exploit your
> system. Flash files can, just like any executable.
That is pure fud.
> We're seeing a reasonably steady stream of "x posing as y to get around
> z restriction" attacks made available specifically because filetype
> handling is being hidden behind a user-opaque format standard that
> places the type of a file far outside the file itself.
So? How is this different that the exploits/viruses/restriction-bypasses
by using filename extensions (like something.xls.txt or something.exe.txt)?
> I expect the exploit stream will eventually lead to MIME-type
I seriously doubt it. And it surely won't be replaced by file extensions
which suffer most all the same problems and additional problems also.
> Yours Truly,
> Dan Kaminsky
> DoxPara Research
-- Eric Rostetter The Department of Physics The University of Texas at Austin
"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion to a brand, platform, product line, or programming language. It's relatively harmless among the rank and file, but when management is afflicted the damage can be measured in dollars. It's also contagious -- someone with sufficient political clout can infect an entire organization."
--"Enterprise Strategies" columnist Tom Yager.