-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim Starling wrote:
> * Improved upload file type detection for
OpenDocument formats
>
> Added a check for the magic value header in OpenDocument zip
> archives
which specifies which subtype it is. Such files will get detected
with
the appropriate mime type and matching extension, so ODT etc uploads
will work again where enabled.
(Previously the general ZIP check and blacklist would disable them.)
I think you're missing the point. It's trivial to make a file which is
both a valid OpenDocument file, and a valid JAR file subject to the same
origin policy.
I have no doubt of this, but only our restricted-write-access internal
sites allow OpenDocument uploads, and they also allow Zip uploads. ;)
The point is to make the uploads actually *work* when and where they've
been explicitly enabled.
Smarter "evil JAR detection" that pokes through the ZIP file index
looking for Java classes and blocks the specific file would be a nice
addition, particularly if we were to do something foolish like enable
OpenDocument uploads on general-access sites. :)
There is a Zip extension for PHP which might be handy for this purpose,
though of course it's not enabled by default and may not be present on
any given setup. :(
- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkjha7sACgkQwRnhpk1wk45d3gCgvOQvDIZHjzbDkwHY05yYsjHY
9JMAn2bSoH5bSBcKFEQ8AufzJnkTZWJD
=+XDM
-----END PGP SIGNATURE-----