[Engineering] [Wikitech-l] IE 6/7 MIME type sniffing checks on uploads - is it time to retire them?

[Kunal Mehta]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

On 1/28/19 3:58 PM, Brion Vibber wrote:
> Years ago, we added security checks for IE 5/6/7 to work around
> IE's mime type sniffing: if you went to view a .png file directly
> in IE (as opposed to in an <img>) the browser would check the first
> few bytes of the file to detect its type, overriding the HTTP
> Content-Type header. HTML would be detected with a higher priority
> than the actual image formats, making it possible to create an
> actual .png image which when viewed as an image looked like an
> image, but when viewed as a web page was interpreted as HTML,
> including any embedded JavaScript.

Tim wrote a nice blog post about how he reverse-engineered this:
<https://tstarling.com/blog/2008/12/secure-web-uploads/>.

I don't have any comments on whether it's still needed, but if it's
determined that MediaWiki can drop the checks, I'd like to see it
turned into a PHP library...mostly because it's some neat code.

- -- Legoktm
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2MtZ8F27ngU4xIGd8QX4EBsFJpsFAlxP+W4ACgkQ8QX4EBsF
Jps8hRAAvU19l6PPh7twy4JQyeHHzEs6AIVXXmQ9HhXjDoV+zu6EpqUO/SW1dxMc
sjFiqrTwkdvKhthgevXbjLu9oO0HDVcosV01vdo0qt+p5ZO1Lave6QMWbkbfn9vk
rdQ8vEuN/s0NWaXQcYnVHIF+ERwMQ8wR1+xWFZ6H9i7ID03oPVtwrWeDbPivq6n/
hsX+BP8ZOaYvaOH/pCC4Z1dIcaJvD8Wc+3fQiW9BgmfFKHaPT/ZrnggyYKHKDyX9
eJl9oq2jSJ9AefMJVmyEufnctEtFOmJCW/Tv0gmrKgNhnvHYb4FMf5Mwe8HMglVY
kKzpQkkNW34xpBvUKeeqPX2GV6MkbQMqsL9bLgAesv+VFxEo7ULYON47drTzyMzo
K9MY1ypxqTXEyleXmKBKKsw6P5So13vfKrT4iTJnVNJiu9G+LaEr6p34HcVi8JUn
wA1im7UbJ4TeQxiLwe7KNihggXN4AtWGAxszqYXDs9scLk7Wz5eghqIGGijlnmHf
xzyPxhmiUB/KaaNQXNR+3kKNW5wLBuLOAubg1ZjnSEf3+V3j4ZIT9UFGebz0p0iv
Akm/WnMs8R/tUlGOOX3+Pg78cJTVRtCy6CSUyVA53GqUAae++rvQelP5xa5eyt4r
mQhnDQlJaiDjcWe1kip+I5c7WcUVIc1rnsrukb2eAOjH4Dkr7G4=
=fcwi
-----END PGP SIGNATURE-----