2008/8/11 Gregory Maxwell gmaxwell@gmail.com:
What I wasn't able to reproduce is a file which both passed the upload validation and which was executed by the Sun JRE... though I didn't try hard once I realize that the use of a different domain for uploading provided strong protection. It might well be that the upload validation needs to be made more aggressive to stop these files, but they pose us little to no risk. (Right now about the only risk I can see would be having evildomain instruct browsers to DOS attack our image servers... which could be done with simple JS on evildomain without any exploit at all).
AIUI the upload process checks both the extension and the magic number, doesn't it? I suppose it's a Simple Matter Of Programming to check files for validity ...
- d.