Re: [media-types] I-D Action: draft-ietf-mediaman-suffixes-00.txt
Harald Alvestrand <harald@alvestrand.no> Sat, 19 February 2022 23:11 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: media-types@ietfa.amsl.com
Delivered-To: media-types@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90233A05C7 for <media-types@ietfa.amsl.com>; Sat, 19 Feb 2022 15:11:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.614
X-Spam-Level:
X-Spam-Status: No, score=-2.614 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IGOiCRnMxtJ for <media-types@ietfa.amsl.com>; Sat, 19 Feb 2022 15:11:51 -0800 (PST)
Received: from smtp.alvestrand.no (smtp.alvestrand.no [65.21.189.24]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F9913A053E for <media-types@ietf.org>; Sat, 19 Feb 2022 15:11:50 -0800 (PST)
Received: from [192.168.3.236] (unknown [78.156.11.215]) by smtp.alvestrand.no (Postfix) with ESMTPSA id E2FF4455DD for <media-types@ietf.org>; Sun, 20 Feb 2022 00:11:47 +0100 (CET)
Message-ID: <faebaccd-1111-e698-f56f-d1f085a8fc85@alvestrand.no>
Date: Sun, 20 Feb 2022 00:11:47 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: media-types@ietf.org
References: <163839922518.1124.7984157361303473511@ietfa.amsl.com> <CAL0qLwYCBxgZQKTx3gi=XKLvMSsuL33bvvh3+ebHysyvn-JMLg@mail.gmail.com> <b1f63558-848b-fa1c-4583-52ae50bdc18e@digitalbazaar.com> <06e74fc4-7679-0052-1e45-15d46b12715a@digitalbazaar.com> <a461d11c-3cce-4a09-038d-e7035a9649b4@it.aoyama.ac.jp> <e84f3003-8d31-f30e-2b04-27e40330dae8@digitalbazaar.com>
From: Harald Alvestrand <harald@alvestrand.no>
In-Reply-To: <e84f3003-8d31-f30e-2b04-27e40330dae8@digitalbazaar.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/media-types/ESlafjJBFkgd3lGPmZI2GuBBZoc>
Subject: Re: [media-types] I-D Action: draft-ietf-mediaman-suffixes-00.txt
X-BeenThere: media-types@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IANA mailing list for reviewing Media Type \(MIME Type, Content Type\) registration requests." <media-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/media-types>, <mailto:media-types-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/media-types/>
List-Post: <mailto:media-types@ietf.org>
List-Help: <mailto:media-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/media-types>, <mailto:media-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2022 23:11:54 -0000
Are there security concerns here? It's long been a favorite game of virii and trojans to lie about what the inner type contains, and then try to leverage the fact that the inner type may dispatch on something different in order to induce unexpected processing. For example, having a gzipped file "image/svg+xml+gzip", knowing that the XML parser will dispatch based on the XML declaration not the MIME type and instead putting a text/html file with embedded Javascript in there. Or using the gzip "extract by name" facility and packing "virus.exe" inside "image/svg+xml+gzip", knowing that the next level of unpacking will dispatch on filename suffix? These concerns exist (of course) with single-level suffix concatenation too, but multiple suffixes multiply the paths that can be taken. I see that RFC 6838 section 4.6 does not note the particular danger of suffixed types; it may be a Good Thing to include a security section in this document that mentions the issue. Harald
- [media-types] I-D Action: draft-ietf-mediaman-suf… internet-drafts
- Re: [media-types] I-D Action: draft-ietf-mediaman… Murray S. Kucherawy
- Re: [media-types] I-D Action: draft-ietf-mediaman… Manu Sporny
- Re: [media-types] I-D Action: draft-ietf-mediaman… Manu Sporny
- Re: [media-types] I-D Action: draft-ietf-mediaman… Manu Sporny
- Re: [media-types] I-D Action: draft-ietf-mediaman… Chris Lilley
- Re: [media-types] I-D Action: draft-ietf-mediaman… Martin J. Dürst
- Re: [media-types] I-D Action: draft-ietf-mediaman… Martin J. Dürst
- Re: [media-types] I-D Action: draft-ietf-mediaman… Manu Sporny
- Re: [media-types] I-D Action: draft-ietf-mediaman… Harald Alvestrand
- Re: [media-types] I-D Action: draft-ietf-mediaman… Manu Sporny
- Re: [media-types] I-D Action: draft-ietf-mediaman… Harald Alvestrand