Firefox - gedit is the best!
Mateusz Marzantowicz
mmarzantowicz at osdf.com.pl
Tue Oct 29 09:07:29 UTC 2013
On 29.10.2013 09:17, Ian Malone wrote:
> On 29 October 2013 04:47, Tim <ignored_mailbox at yahoo.com.au> wrote:
>> On Mon, 2013-10-28 at 22:55 +0100, Mateusz Marzantowicz wrote:
>>> I don't know it is a correct design in that case. FF doesn't check
>>> file content and only trusts that HTTP headers are set correctly. But
>>> it is FF and not Fedora issue anymore.
>>
>> And that is how they're supposed to work, and how it really should be
>> done, for reasons of sanity. When you ignore headers, and just pass
>> data to browsers to "sort out what do with this yourself," things screw
>> up, right royally.
>>
>> For one thing, it's why Windows is so vulnerable. Nasty stuff bypasses
>> sensible handling, and is allowed to execute, because that's what
>> Windows does with binary program files (it executes them).
>>
>
> This isn't an argument for using content type rather than
> autodetection, the content type could be manipulated as part of an
> attack. What you go on to say about the problem of knowing what you've
> got:
>
>> There are any number of different types of files
>> (function-wise) that are the same file-type (construction-wise), so they
>> need correct identification by what's sending it, as it will be the only
>> thing that would correctly know what it is.
>
> This and the general problem of correctly identifying the type of
> every data type and version under the sun is the reason to not try and
> snoop the data type.
>
OK, I know all that argumentation about security but as you've mentioned
HTTP headers could be easily manipulated. Content recognition must be
done somewhere, in that case on web server, in order to set headers
correctly. There always would be need for content inspection. So what is
better: check content on server side or client side? From client
perspective the later is safer because it doesn't have to trust some
remote entity. My sample URL showed that even GitHub isn't perfect and
sets improper headers for some files (or it does it by choice). Finally,
client software and web browsers should not be fragile to miscellaneous
and manipulated content - they just should recognizes it as such.
Mateusz Marzantowicz
More information about the users
mailing list