[Mailman-Developers] Scrubber.py confusion, 2.1b3

Dale Newfield Dale@Newfield.org
Wed, 14 Aug 2002 09:07:30 -0400 (EDT)

On Wed, 14 Aug 2002, Michael Meltzer wrote:
> I kind of like the "get the extension form mime type" but it broke down
> as soon as I tried to attach a "word" document, came up a
> application/octet-stream with only the extension as a clue. I like the
> method but I do not think it will last, we will end back up at lists

Just want to make sure that the reason you're thinking about this is the
same reason I am:  I don't want someone mailing something to a mailing
list forged just right so that a file with an extension they specify lands
on my web server and then gets not just served from that box, but
*executed* by the web server on it's way out.  The most recent content
system I built does indeed use the mime-type, and builds the filename
extension from it.  If someone sends a file abcdefg.cgi as image/gif, I
will write out Q/N000-N999/X.Y.gif (where N=(X%1000), and Q, X, Y are
determined by other parts of the system).  The filename they send is
completely dropped, and I get to filter on mime-type, assured that since
the web server decides mime-type from extension, it will decide the same
mime-type I was told.  Sure, someone can upload stuff that might be
malicious, but since I'm assured it'll never be executed, I'm not worried.