On 28/04/2023 23:42, Max Nikulin wrote:
incorrect
This word was stripped in the following quote as well.
On 29/04/2023 15:50, Nicolas George wrote:
Max Nikulin (12023-04-28):
value may be intentionally specified
I am stripping your mail to just these few words, because they are the
core flaw of your argument.
If your prefer to ignore other arguments, I am leaving it up to you.
Source of Content-Type HTTP header values may be a simple file suffix
map like
types {
text/html html;
image/gif gif;
image/jpeg jpg;
}
http://nginx.org/en/docs/http/ngx_http_core_module.html#types
If something has been done intentionally, overriding it with an
heuristic is a very bad practice.
Writing the cited phrase I had in mind an attack which target is to pass
an innocently looking file name to specific application usually used for
another purpose.
As for invalid values that are mistakenly specified, they are a
minority, and basing your entire design on a minority of mistakes is
also not a very good practice.
I consider it is important to notify user that something might go wrong
and perhaps inconsistent data have been received. Even if it is a rare
case, it should help to perform an appropriate action, to correct a
mistake, to minimize damage.
