Brion wrote:
We have a heuristic check which attempts to match MSIE's heuristic test for HTML and rejects anything that matches. Hopefully it's good enough for that, though there may be other dangerous formats that it attempts to recognize, or other checks in the HTML heuristic which I might have missed.
ok... can I somhow help testing this?
MSIE's MIME type "detection" (the process in which it throws away the server's specified content-type information and pulls a new one out of its butt in an unreliable, insecure manner) is partially documented here: http://msdn.microsoft.com/workshop/networking/moniker/overview/ appendix_a.asp
urg. und that page does *not* state *how* the detection works... more guesswork :(
MIDI is probably safe. It doesn't seem to be in IE's internally recognized list of types, so it shouldn't try to autodetect.
so *please* just enable it, ok?
SVG is a more dangerous format; IIRC it explicitly allows for the use of JavaScript. Would you mind testing the main SVG-supporting browsers (particularly the Adobe SVG Viewer plug-in running in MSIE and Mozilla) to ensure that JavaScript in a SVG file can't access cookies or hijack the containing browser window?
Hmpf, that would require me to boot into windows;) Well, ok, i'll have a look. Last time i checked javascript in SVG was specified but not really supported.
Also, we could just scan any SVG and other XML-Formats for "<script" and "javascript:" and deny all files that contain such a string. That's a little crude, but would work for 99% i guess.
- when a file is uploaded, run "file -bi" against that file and
remember the output, which is (a pretty good guess of) the mime-type of the file.
MediaWiki can't generally rely on 'file' since it's an external program. It may not give consistent results on all platforms, and is completely absent on some (such as Windows). It's also known to fail to catch the MSIE holes, which can detect HTML on actual valid image files.
Well, one could always make that check optional, so one could just disable it on systems where it is not available. I belive cygwin supplied a file command for windows, though. But the problem that file may be "smarter" than MSIE remains, there you have a point.
- have a map of mime-types-to-file-extensions. Look up the mime-type
returned by file in that table. If it mismatches the file extension, warn about it and refuse to upload. Skip the test if the mime-type is not in the table.
For known image types, we already check that the detected image type matches the extension.
good. Is it easy to extend the list of known mime/ext pairs?
If we are concerned about viruses in general, why not run a virus scanner against every uploaded files? Uploads are not the frequent, CPU should be able to cope with that.
Mainly we're concerned about JavaScript session hijacking, but other problems are a concern as well. Feel free to whip up a wrapper around clamav or something, that might be useful...
OK, i'll have a look at it, it should be trivial enough. But i'll leave the integration to you, because for me it would be a lot mor work to find out where to put this than to write the funtion itself...
Thanks, Daniel