[Openfontlibrary] ccHost compression

Brendan Ferguson drsassafras at gmail.com
Sun Nov 2 21:09:13 PST 2008


> I suppose the "Report possible License violation" feature could be
> duplicated/extended to "Report possible malicious file" so a simple
> machine filter like file extensions would have a social safety net.
>
>> The *nix "file" command reads the file
>> headers and determines file type based on the pattern of bytes in the
>> headers of files -- that is the most reliable way to do it.
>
> Well, in the supposed "upload zip, uncompress zip, if other files
> added, compress all the files into a new zip" process, running the
> "file" command on the files to check their type matches their file
> extension at the "uncompress zip" and "files added" stages would be
> great.
>
> Brendan, what do you think? :-)


It sounds like you are describing user security. This is really a  
server security issue for me.

Take a PHP file. What headers will it have? NONE! I have also looked  
at project that reads headers, and they primarily read audio file  
headers. Even, HTML files will have to be disabled if php support is  
enabled for html files (which it is not). With a PHP file being  
executed by the server, you may (depending on the way passwords were  
stored) be able to produce a dump of all the emails and stored  
passwords for them. Or say someone uploads a rpm file and then manages  
to execute it on the server?

I am not a security expert, but do know basic security rules. Getting  
the file onto the server is the first big step in launching an attack.  
I have managed to "hack" several sites gaining access to privileged  
database information this way. Constructing a map of the database from  
error messages I purposefully evoked. All due to lack uploading rules.

As per a blacklist, we would need to find a "tried and true" list as I  
doubt we would be able to come up with them all. And, it would  
constantly change with the evolution of technology  
(php3 .php4 .phtml .php + more) for php. Then there is Cold Fusion,  
ASP, Server Side Includes, Server-side JavaScript etc. This is just  
part of the web based technologies that can cause an excitation on the  
server. Although I am not familiar with many of them, many may have  
more than one extension. 


More information about the Openfontlibrary mailing list