[websec] mimesniff feedback
Philip Jägenstedt <philipj@opera.com> Fri, 25 November 2011 13:37 UTC
Return-Path: <philipj@opera.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4BFC21F8B85 for <websec@ietfa.amsl.com>; Fri, 25 Nov 2011 05:37:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.44
X-Spam-Level:
X-Spam-Status: No, score=-4.44 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cctRPO0IyEqp for <websec@ietfa.amsl.com>; Fri, 25 Nov 2011 05:37:41 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id BFB2E21F8B86 for <websec@ietf.org>; Fri, 25 Nov 2011 05:37:40 -0800 (PST)
Received: from kirk (oslo.jvpn.opera.com [213.236.208.46]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id pAPDbb2Q027701 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <websec@ietf.org>; Fri, 25 Nov 2011 13:37:39 GMT
Content-Type: text/plain; charset="utf-8"; format="flowed"; delsp="yes"
Date: Fri, 25 Nov 2011 14:37:50 +0100
To: websec@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Philip Jägenstedt <philipj@opera.com>
Organization: Opera Software
Message-ID: <op.v5h75cn2sr6mfa@kirk>
User-Agent: Opera Mail/12.00 (Linux)
X-Mailman-Approved-At: Fri, 25 Nov 2011 05:55:05 -0800
Subject: [websec] mimesniff feedback
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2011 13:37:41 -0000
http://tools.ietf.org/html/draft-ietf-websec-mime-sniff-03 The right column is misaligned for: +-------------------+-------------------+-----------------+------------+ | FF FF FF FF FF FF | WS 3C 3f 78 6d 6c | text/xml | Scriptable | | Comment: <?xml (Note the case sensitivity and lack of trailing _>) | +-------------------+-------------------+-----------------+------------+ +-------------------+-------------------+-----------------+------------+ | FF FF FF FF FF | 4F 67 67 53 00 | application/ogg | Safe | | Comment: An Ogg audio or video signature. | +-------------------+-------------------+-----------------+------------+ Typo: "as define in" In 6.1 "Signature for MP4": * If implemented naively, it can "segfault" at step "If octets 5 through 8..." for n<8. * I don't know anything about the MP4 file format, but there's an off-by-one error in "If octets 4*i through 4*i + 3 (inclusive)". It seems likely that the magic bytes are aligned on 4 byte boundaries and that it should be "4*i+1 through 4*i+3". That'll also make the octet count 3, to match "mp4". * The initial check is for n<4, but the algorithm can only return true for n>=12. Adjusting that solves the "segfault" as well. -- Philip Jägenstedt Core Developer Opera Software
- [websec] mimesniff feedback Philip Jägenstedt
- Re: [websec] mimesniff feedback Adam Barth