Closed eddiewebb closed 4 years ago
What if, on upload, we saved files with an arbitrary, nonthreatening extension, and then returned them with the proper one on download?
that's fine, because it suits my specific need, but also -- extensions are not threatening, files are.
Extension spoofing exploits work in the opposite direction, malicious file types cloaked under safe extensions, usually hidden by modern OS.
If the filetype itself (in this case detected as XML) is safe, the extension wont make it dangerous, replacing the extension wont make it safe.
(simple proof, save a shell script as .doc (or .anything)-- it will still execute as a script if invoked)
$ echo "echo \"im a script\"" > word.doc
$ ./word.doc
im a script
(I think) I'm having the same/related issue. I try to upload an .3mf file, but that gets changed to .zip. https://en.wikipedia.org/wiki/3D_Manufacturing_Format The applications that can open such files (3d print slicers) expect a .3mf, not a .zip. It would be nice if file extensions do not get changed.
Extension is rewriting the file extension of files on upload, making them invalid for download.
I want to let users upload .gpx files, they are technically XML, but the extension is important so they can be imported to GPS devices and apps.
The problem, as best I can discover is that every browser/os combo has their own way of interrogating local files to decide the mime-type they send to the server. Most OS have a list or registry they maintain that is inspected by the browser.
The plugin currently "guesses" extension based on mime type, and only if that is missing, falls back to actual client provided extension. Because the extension renames the file to *.xml instead of leaving it as .gpx making it invalid for import elsewhere.
I'm not suggesting a change in the way files are inspected during upload, I agree inspecting filetype is safer than trusting the user provided extension to allow/block the upload.
I am just suggesting we should just not alter the extension when we save it, I do not agree that adds security to the server or folks who later download it.