-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
On 1/28/19 3:58 PM, Brion Vibber wrote:
Years ago, we added security checks for IE 5/6/7 to work around IE's mime type sniffing: if you went to view a .png file directly in IE (as opposed to in an <img>) the browser would check the first few bytes of the file to detect its type, overriding the HTTP Content-Type header. HTML would be detected with a higher priority than the actual image formats, making it possible to create an actual .png image which when viewed as an image looked like an image, but when viewed as a web page was interpreted as HTML, including any embedded JavaScript.
Tim wrote a nice blog post about how he reverse-engineered this: https://tstarling.com/blog/2008/12/secure-web-uploads/.
I don't have any comments on whether it's still needed, but if it's determined that MediaWiki can drop the checks, I'd like to see it turned into a PHP library...mostly because it's some neat code.
- -- Legoktm