Trusted vs Unstrusted MIME types

Stephan Arts stephan at xfce.org
Sat Jul 7 15:36:54 PDT 2007 

On 7/7/07, Christopher Aillon <caillon at redhat.com> wrote:
> Thomas Leonard wrote:
> > Both the .desktop file and the MIME information come from the application,
> > so that doesn't help you.
>
> You are correct that the desktop file and the MIME information the
> application claims to support both come from the application.  Good
> thing for me that this thread isn't about that.  :-)
>
> I'm requesting a list of MIME types known to be potentially unsafe,
> which already exists in epiphany's source code.  I want each application
> that needs to use this to not have to keep track of their own list.
>
> > However, putting it in the MIME database is quite risky. For example, say
> > I'm writing a python code visualiser. I want to be able to click on a
> > python file in my browser to view its structure, so I supply my program
> > with an MIME XML file saying "Python files are safe".
> >
> > Now, if the user also has IPython installed, clicking on a Python file
> > might run it without asking!
>
> You need to understand that security is all about mitigating risks.
> When downloading a file which can be executed, we need to make sure we
> know of this possibility and act accordingly.  That might mean not
> caring what programs are "safe" or not and giving the user the option of
> the system default text editor (which would be the default) and a list
> of other applications which claim to handle the type.  Or maybe the
> default would be to simply download it.  That is irrelevant because the
> browser implementors and mail client implementors get to decide this.
> The point is that they need to know that certain files might need to be
> handled differently.
>
>
> >> Knowing that the content is potentially dangerous is much more valuable
> >> here anyway, because maybe Firefox might simply refuse to open the file
> >> via a helper and only download it to disk.  Maybe it wants to issue a
> >> warning to the user.
> >
> > What would the warning say?
>
> In the download manager, the download could be a different color, there
> could be an icon that would denote its status as potentially dangerous.
>   Maybe when the user attempts to open from the download manager, it
> would pop up a dialog similar to what nautilus does when you try to open
> a shell script:
>
> "foo.sh is an executable text file.  Do you want to run foo.sh or
> display its contents?"
>
> But it doesn't really matter what it would say.  You aren't going to be
> implementing that part.  It is clear that this is needed because
> epiphany already implements it.  MSIE does something similar.
> Mozilla is asking for it for use in Firefox, Thunderbird, etc.

You do realize that the assumptions of mimetypes being 'safe' (and
providing additional features accordingly) leads to the most common
security vulnerabilities on the windows platform?

I am not saying this would be a waste of time, but unless someone can
come with a solid definition of 'safe', do not even try to implement
anything of this kind. If there is one thing we can learn from MS,
then it is that not doing it right can be worse then not doing it at
all.

Please be careful where you are taking this.

my 2ct,

Stephan.

More information about the xdg mailing list