Re: Plain text files in internet explorer

From: Dan Kaminsky (dan@doxpara.com)
Date: 09/03/02 

Date: Mon, 02 Sep 2002 16:43:08 -0700
From: Dan Kaminsky <dan@doxpara.com>
To: Philip Rowlands <phr@doc.ic.ac.uk>

>
>
>A tutorial site teaching basic HTML, which presents code snippets as
>text/plain to allow the student to read the markup, but would save to
>the hard disk as .html.
>
>What is .rpm? Is it a RPM Package Manager file, or a Realaudio Plugin?
>Both exist.
>
>
Great example. Look how elegantly web servers handle that *specific*
little cluster.

I'm serious; we have an extension <-> filetype LUT in the web server,
the one component that cares least about the content, and it's breaking
at precisely this point. Extensions are file types. Period.

>What about .cgi that looks like HTML but declares itself to be
>text/plain?
>
Photoshop makes a JPEG. It's a JPEG.
Imagemagick makes a JPEG. It's a JPEG.
Some crazy hacker with a hex editor makes a JPEG. It's a JPEG.

The implementation does not define the format. Exposing CGI/PHP/ASP is
marketing, nothing more. We actually shouldn't be seeing foo.cgi...but
if we are, I'll accept MIME type being used as a *hack* to expose the
type of *backend* data.

>Perhaps the author of a image archive site intends his .gif/.jpg/.bmp
>files to be downloaded straight, not rendered, so uses
>application/octet-stream.
>
So at the layer of the web server, he's going to subvert the GIF mapping
into octet stream?

Do consider how ridiculous this sounds.

>That's a huge (and IMHO backward) paradigm shift. The Uniform Resource
>Locator is just that, a "handle" on some content. It does not specify
>the type of data, nor its size, age, TTL, language, caching
>characteristics etc. All of these belong out-of-band, so to speak, in
>the protocol headers.
>
>
You are correct about everything but type. In that case, empirical
psychology and security theory trump your directionless abstract eighty
three ways from sunday.

http://www.foobar.com/movie.mpg is a direct handle to an mpeg movie.
http://www.foobar.com/foobar.exe is a direct handle to an executable.

Suppose for a moment we keep the URLs the same, but swap file content
and MIME header (i.e. you go to download the movie and instead run the
code in foobar.exe). Sure, this is an obvious breach of security, but
it's something *more* than that. It's a spoofing attack. The user has
as much a legitimate right to consider themselves downloading a batch of
video data as they do to believe the content is coming from foobar.com.

Just as the web would be better off with most sites bothering to
authenticate their content -- perhaps with HTTPS, perhaps with XML
signatures -- because it would bring trust to the meaning extracted from
the URL, so too the web would be better off with an enforced consistency
between the data type presented to the user and the data type parsed.

There's few engineers who will praise the simultaneous genius of URLs,
HTTP, and HTML as highly as myself. That they all spawned
simultaneously is a feat of synergistic engineering unparalleled in
recent memory. But MIME-types are a failure, and a stubborn refusal to
admit such benefits nobody.

Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

Relevant Pages

  • Re: Postels law
    ... The counter argument for me has always been JPEG. ... HTML is probably the best example to date. ... limited purpose to be a text format wrapper. ... Such acceptance comes in fact ...
    (comp.databases.theory)
  • Re: JPEG attachment to email
    ... Then I sent a fresh JPEG, just a picture of a model car, to my relative, Roger. ... html, which has the same content as the text. ... has been corrupted by a broken email client - but I guess ... Encoded attachments should not be "wrapped" in HTML. ...
    (comp.sys.acorn.misc)
  • Re: for those that think jpgs are "safe"
    ... No, it wouldn't, unless you can explain how the JPG and the DLL ... you run the EXE from an unknown source, you're already screwed, JPEG ... create an HTML page, rename it to JPEG, and then open it in ... Internet Explorer, it would be rendered as a JPEG, not by it's HTML ...
    (alt.computer.security)
  • Re: Plain text files in internet explorer
    ... >Is this actually specified someplace in some relevant RFC? ... >an RFC-supported 'correct' interpretation of the text/plain MIME type? ... use the MIME-type as a hint. ... foobar.html is always read as html. ...
    (Vuln-Dev)
  • Re: for those that think jpgs are "safe"
    ... >> You're not claiming that the rendering of a file with a JPEG ... >> extension as HTML is a security vulnerability. ... > learning about malformed headers in a jpg file, ... infect if the DLL isn't present. ...
    (alt.computer.security)