[Mailman-Developers] Scrubber.py confusion, 2.1b3

Barry A. Warsaw barry@python.org
Thu, 15 Aug 2002 09:25:47 -0400

>>>>> "DN" == Dale Newfield <Dale@Newfield.org> writes:

    DN> Just want to make sure that the reason you're thinking about
    DN> this is the same reason I am: I don't want someone mailing
    DN> something to a mailing list forged just right so that a file
    DN> with an extension they specify lands on my web server and then
    DN> gets not just served from that box, but *executed* by the web
    DN> server on it's way out.  The most recent content system I
    DN> built does indeed use the mime-type, and builds the filename
    DN> extension from it.  If someone sends a file abcdefg.cgi as
    DN> image/gif, I will write out Q/N000-N999/X.Y.gif (where
    DN> N=(X%1000), and Q, X, Y are determined by other parts of the
    DN> system).  The filename they send is completely dropped, and I
    DN> get to filter on mime-type, assured that since the web server
    DN> decides mime-type from extension, it will decide the same
    DN> mime-type I was told.  Sure, someone can upload stuff that
    DN> might be malicious, but since I'm assured it'll never be
    DN> executed, I'm not worried.

Scrubber.py believes the Content-Type: over the file extension.
Python has a module called mimetypes which translates between
content type and file extension, so it uses that to calculate the
extension on the file it saves in the file system.  It also ignores
any path information that might be in the filename parameter, so it
basically just uses the filebase.  It'll fall back to .bin if it can't
calculate a better file extension.