Re: new mime detection approach



On Thu, 2004-01-15 at 07:37, Mattias Eriksson wrote:
> I see one security flaw with this solution and it is that the user might
> be fooled into running trojans and other kind of evil programs. If I
> send a user a executable with a .mp3 extension or .gif extension, it is
> detected according to the suffix. The user wants to taka a look at it
> and double-click the file. Now a sniff is performed and it is detected
> it is an executable and the file is run. Do we really want this?
> 

I guess (hope) the idea is not to directly run the script/executable but
to warn the user that the file she assumed was a MP3 is actually an
executable file. I don't know if such a warning would be enough to
prevent users from hurting themselves...

Maybe a solution would to totally refuse to run a script/executable
whose extension doesn't match its mime-type (except if the file doesn't
have any extension). Hence users would have to rename the file before
running it.

-- 
Julien Olivier <julo altern org>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]