- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sat, 30 Apr 2011 11:54:16 -0700
> Maybe a bit more contriving could come up with a more plausible example. My concern is a bit more straightforward. To use a practical example: just because a social networking site allows nearly arbitrary JPEG files to be uploaded and served as profile pictures (Content-Type: image/jpeg) does not mean that the applications wants users to be offered that content as a download named Security_Update.exe, supposedly coming from that trusted site. (It is usually not difficult to construct documents that are both a valid image and a valid executable.) But yes, there are probably also potential interactions with whitelisted domains, especially given that the whitelist-based capabilities are expanding rapidly. /mz
Received on Saturday, 30 April 2011 11:54:16 UTC