On 02/08/07, Gregory Maxwell <gmaxwell(a)gmail.com> wrote:
It's also possible to rename malicious content as
one of our accepted
formats for upload and upload it. If you client will execute an 'exe'
renamed to 'ogg' and sent with the Ogg mime type your client is
broken, but broken clients do exist. I do not recall ever seeing an
example of something malicious distributed that way on our sites.
Really? I thought we ran "file" on uploads as well as looking at the extension.
Though I suppose that wouldn't protect against the "specially crafted
malicious file" of security notice fame.
- d.