On 29 October 2013 04:47, Tim <ignored_mail...@yahoo.com.au> wrote: > On Mon, 2013-10-28 at 22:55 +0100, Mateusz Marzantowicz wrote: >> I don't know it is a correct design in that case. FF doesn't check >> file content and only trusts that HTTP headers are set correctly. But >> it is FF and not Fedora issue anymore. > > And that is how they're supposed to work, and how it really should be > done, for reasons of sanity. When you ignore headers, and just pass > data to browsers to "sort out what do with this yourself," things screw > up, right royally. > > For one thing, it's why Windows is so vulnerable. Nasty stuff bypasses > sensible handling, and is allowed to execute, because that's what > Windows does with binary program files (it executes them). >
This isn't an argument for using content type rather than autodetection, the content type could be manipulated as part of an attack. What you go on to say about the problem of knowing what you've got: > There are any number of different types of files > (function-wise) that are the same file-type (construction-wise), so they > need correct identification by what's sending it, as it will be the only > thing that would correctly know what it is. This and the general problem of correctly identifying the type of every data type and version under the sun is the reason to not try and snoop the data type. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
