Brion wrote:
We have a heuristic check which attempts to match
MSIE's heuristic test
for HTML and rejects anything that matches. Hopefully it's good enough
for that, though there may be other dangerous formats that it attempts
to recognize, or other checks in the HTML heuristic which I might have
missed.
ok... can I somhow help testing this?
MSIE's MIME type "detection" (the
process in which it throws away the
server's specified content-type information and pulls a new one out of
its butt in an unreliable, insecure manner) is partially documented here:
http://msdn.microsoft.com/workshop/networking/moniker/overview/
appendix_a.asp
urg. und that page does *not* state *how* the detection works... more
guesswork :(
MIDI is probably safe. It doesn't seem to be in
IE's internally
recognized list of types, so it shouldn't try to autodetect.
so *please* just enable it, ok?
SVG is a more dangerous format; IIRC it explicitly
allows for the use
of JavaScript. Would you mind testing the main SVG-supporting browsers
(particularly the Adobe SVG Viewer plug-in running in MSIE and Mozilla)
to ensure that JavaScript in a SVG file can't access cookies or hijack
the containing browser window?
Hmpf, that would require me to boot into windows;) Well, ok, i'll have a
look. Last time i checked javascript in SVG was specified but not really
supported.
Also, we could just scan any SVG and other XML-Formats for "<script" and
"javascript:" and deny all files that contain such a string. That's a
little crude, but would work for 99% i guess.
* when a file
is uploaded, run "file -bi" against that file and
remember the output, which is (a pretty good guess of) the mime-type
of the file.
MediaWiki can't generally rely on 'file' since it's an external
program. It may not give consistent results on all platforms, and is
completely absent on some (such as Windows). It's also known to fail to
catch the MSIE holes, which can detect HTML on actual valid image files.
Well, one could always make that check optional, so one could just
disable it on systems where it is not available. I belive cygwin
supplied a file command for windows, though. But the problem that file
may be "smarter" than MSIE remains, there you have a point.
* have a map
of mime-types-to-file-extensions. Look up the mime-type
returned by file in that table. If it mismatches the file extension,
warn about it and refuse to upload. Skip the test if the mime-type is
not in the table.
For known image types, we already check that the detected image type
matches the extension.
good. Is it easy to extend the list of known mime/ext pairs?
If we are
concerned about viruses in general, why not run a virus
scanner against every uploaded files? Uploads are not the frequent,
CPU should be able to cope with that.
Mainly we're concerned about JavaScript session hijacking, but other
problems are a concern as well. Feel free to whip up a wrapper around
clamav or something, that might be useful...
OK, i'll have a look at it, it should be trivial enough. But i'll leave
the integration to you, because for me it would be a lot mor work to
find out where to put this than to write the funtion itself...
Thanks,
Daniel