W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: NEW ISSUE: content sniffing

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 31 Mar 2009 14:26:31 -0700
Message-ID: <7789133a0903311426u3d45fbbbk15b156e336913436@mail.gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
On Tue, Mar 31, 2009 at 2:23 PM, Adrien de Croy <adrien@qbik.com> wrote:
> Do servers sniff to try and fill in the Content-Type field?

Yes.  We found this is quite common when we examined open-source Web
applications that accept user uploads.  For example, Wikipedia does

> Most I think have a fairly simplistic static mapping of file extension to Content-Type.

This is how Apache works.

> Many types of content already have a signature in them which can be used to
> determine type. e.g jpegs, gifs etc.

Wikipedia uses this technique.  Mismatches between a site's sniffing
algorithm and the user agent's sniffing algorithm often lead to
exploitable vulnerabilities.  See Section 2.5 of
http://www.adambarth.com/papers/2009/barth-caballero-song.pdf for two
concrete examples of how this happens.

Received on Tuesday, 31 March 2009 21:27:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:48 UTC