IETF Logo Mail Archive

Re: [media-types] I-D Action: draft-ietf-mediaman-suffixes-00.txt

Harald Alvestrand <harald@alvestrand.no> Sat, 19 February 2022 23:11 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: media-types@ietfa.amsl.com
Delivered-To: media-types@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90233A05C7 for <media-types@ietfa.amsl.com>; Sat, 19 Feb 2022 15:11:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.614
X-Spam-Level:
X-Spam-Status: No, score=-2.614 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IGOiCRnMxtJ for <media-types@ietfa.amsl.com>; Sat, 19 Feb 2022 15:11:51 -0800 (PST)
Received: from smtp.alvestrand.no (smtp.alvestrand.no [65.21.189.24]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F9913A053E for <media-types@ietf.org>; Sat, 19 Feb 2022 15:11:50 -0800 (PST)
Received: from [192.168.3.236] (unknown [78.156.11.215]) by smtp.alvestrand.no (Postfix) with ESMTPSA id E2FF4455DD for <media-types@ietf.org>; Sun, 20 Feb 2022 00:11:47 +0100 (CET)
Message-ID: <faebaccd-1111-e698-f56f-d1f085a8fc85@alvestrand.no>
Date: Sun, 20 Feb 2022 00:11:47 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: media-types@ietf.org
References: <163839922518.1124.7984157361303473511@ietfa.amsl.com> <CAL0qLwYCBxgZQKTx3gi=XKLvMSsuL33bvvh3+ebHysyvn-JMLg@mail.gmail.com> <b1f63558-848b-fa1c-4583-52ae50bdc18e@digitalbazaar.com> <06e74fc4-7679-0052-1e45-15d46b12715a@digitalbazaar.com> <a461d11c-3cce-4a09-038d-e7035a9649b4@it.aoyama.ac.jp> <e84f3003-8d31-f30e-2b04-27e40330dae8@digitalbazaar.com>
From: Harald Alvestrand <harald@alvestrand.no>
In-Reply-To: <e84f3003-8d31-f30e-2b04-27e40330dae8@digitalbazaar.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/media-types/ESlafjJBFkgd3lGPmZI2GuBBZoc>
Subject: Re: [media-types] I-D Action: draft-ietf-mediaman-suffixes-00.txt
X-BeenThere: media-types@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IANA mailing list for reviewing Media Type \(MIME Type, Content Type\) registration requests." <media-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/media-types>, <mailto:media-types-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/media-types/>
List-Post: <mailto:media-types@ietf.org>
List-Help: <mailto:media-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/media-types>, <mailto:media-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2022 23:11:54 -0000

Are there security concerns here?

It's long been a favorite game of virii and trojans to lie about what 
the inner type contains, and then try to leverage the fact that the 
inner type may dispatch on something different in order to induce 
unexpected processing.

For example, having a gzipped file "image/svg+xml+gzip", knowing that 
the XML parser will dispatch based on the XML declaration not the MIME 
type and instead putting a text/html file with embedded Javascript in there.

Or using the gzip "extract by name" facility and packing "virus.exe" 
inside "image/svg+xml+gzip", knowing that the next level of unpacking 
will dispatch on filename suffix?

These concerns exist (of course) with single-level suffix concatenation 
too, but multiple suffixes multiply the paths that can be taken.

I see that RFC 6838 section 4.6 does not note the particular danger of 
suffixed types; it may be a Good Thing to include a security section in 
this document that mentions the issue.

        Harald

v2.23.0 | Report a Bug | By Email