Re: [websec] Minor feedback on draft-ietf-websec-mime-sniff-03
Willy Tarreau <w@1wt.eu> Sun, 15 January 2012 21:17 UTC
Return-Path: <w@1wt.eu>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B286421F8489 for <websec@ietfa.amsl.com>; Sun, 15 Jan 2012 13:17:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.374
X-Spam-Level:
X-Spam-Status: No, score=-4.374 tagged_above=-999 required=5 tests=[AWL=-4.190, BAYES_20=-0.74, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FYENeTYbHMMX for <websec@ietfa.amsl.com>; Sun, 15 Jan 2012 13:17:12 -0800 (PST)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id D945821F8480 for <websec@ietf.org>; Sun, 15 Jan 2012 13:17:11 -0800 (PST)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id q0FLH2oA007630; Sun, 15 Jan 2012 22:17:02 +0100
Date: Sun, 15 Jan 2012 22:17:02 +0100
From: Willy Tarreau <w@1wt.eu>
To: Adam Barth <ietf@adambarth.com>
Message-ID: <20120115211702.GJ32205@1wt.eu>
References: <20120115195120.GG32205@1wt.eu> <CAJE5ia_gBJ=7DviO5hkmqnXHtC8ptHyKAMieBrFbVV-h9rQo9g@mail.gmail.com> <20120115204154.GH32205@1wt.eu> <CAJE5ia9vPmkMB-NkF-5PRzd2UZcrnSvmVPNYX3XvA80HMeVvEw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAJE5ia9vPmkMB-NkF-5PRzd2UZcrnSvmVPNYX3XvA80HMeVvEw@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
X-Mailman-Approved-At: Sun, 15 Jan 2012 19:21:26 -0800
Cc: websec@ietf.org, ian@hixie.ch
Subject: Re: [websec] Minor feedback on draft-ietf-websec-mime-sniff-03
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2012 21:17:12 -0000
On Sun, Jan 15, 2012 at 12:53:00PM -0800, Adam Barth wrote: > On Sun, Jan 15, 2012 at 12:41 PM, Willy Tarreau <w@1wt.eu> wrote: > > On Sun, Jan 15, 2012 at 11:52:38AM -0800, Adam Barth wrote: > >> The requirement in the spec is what we intend. The rule applies only > >> to that exact octet sequence. > > > > But then what are the impacts of not matching the correct content-type ? > > I'm not sure I understand your question. Can you explain a scenario > in which something happens that causes someone to be sad with the > current requirements? The draft presents an algorithm to determine a content type based on available information, but ignores some important information such as valid header values when presented in an unexpected form. For instance, if I get a file advertised like this : Content-type: text/plain; charset=us-ascii then it will not be interpreted as text/plain but rather based on what is found in the contents. This can make it impossible to read some documents purposely sent as plain text (eg: HTML or PS source code). It could also also have security impacts such as causing some plugins to be fed with the mis-identified data. For instance, imagine that I'm browsing behind a filtering proxy which checks that PDF documents are exempt of any exploit. This proxy will most likely consider the advertised content-type and won't fire the PDF analyser on text/plain documents. But the browser at the end of the chain ignores the text/plain and decides to launch the plugin. As you know, in general, having multiple components interprete different things from similar contents is dangerous for interoperability and for security. Note that it is possible that I missed something as it's not trivial to get right the way it's written :-/ Best regards, Willy
- Re: [websec] Minor feedback on draft-ietf-websec-… Adam Barth
- Re: [websec] Minor feedback on draft-ietf-websec-… Adam Barth
- Re: [websec] Minor feedback on draft-ietf-websec-… Julian Reschke
- Re: [websec] Minor feedback on draft-ietf-websec-… Adam Barth
- [websec] Minor feedback on draft-ietf-websec-mime… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Ian Hickson