[Mailman-Developers] Scrubber.py confusion, 2.1b3

Michael Meltzer mjm@michaelmeltzer.com
Wed, 14 Aug 2002 14:39:45 -0400

You got a point, we should chmod 644 (or umask 133) on the file and prevent any leading dot files (like .httpaceess :-), even with
that I was a little pissed off that php reacted to the file.

This is going to be bad news, I know I can lock down the paths better but..., "get the extension form mime type" will break too.  if
it returns a extension that is enabled in the http server or if a list owner turns on one this becomes a security blackhole. More
reason to use a white list, and one that can only be a subset from mm_conf.py whitelist.


----- Original Message -----
From: "Dale Newfield" <Dale@Newfield.org>
To: "Michael Meltzer" <mjm@michaelmeltzer.com>
Cc: "Barry A. Warsaw" <barry@python.org>; <Mailman-Developers@python.org>
Sent: Wednesday, August 14, 2002 9:07 AM
Subject: Re: [Mailman-Developers] Scrubber.py confusion, 2.1b3

> On Wed, 14 Aug 2002, Michael Meltzer wrote:
> > I kind of like the "get the extension form mime type" but it broke down
> > as soon as I tried to attach a "word" document, came up a
> > application/octet-stream with only the extension as a clue. I like the
> > method but I do not think it will last, we will end back up at lists
> Just want to make sure that the reason you're thinking about this is the
> same reason I am:  I don't want someone mailing something to a mailing
> list forged just right so that a file with an extension they specify lands
> on my web server and then gets not just served from that box, but
> *executed* by the web server on it's way out.  The most recent content
> system I built does indeed use the mime-type, and builds the filename
> extension from it.  If someone sends a file abcdefg.cgi as image/gif, I
> will write out Q/N000-N999/X.Y.gif (where N=(X%1000), and Q, X, Y are
> determined by other parts of the system).  The filename they send is
> completely dropped, and I get to filter on mime-type, assured that since
> the web server decides mime-type from extension, it will decide the same
> mime-type I was told.  Sure, someone can upload stuff that might be
> malicious, but since I'm assured it'll never be executed, I'm not worried.
> -Dale