Trusted vs Unstrusted MIME types

Rodney Dawes dobey.pwns at gmail.com
Sun Jul 8 20:12:47 PDT 2007


On Sun, 2007-07-08 at 22:38 -0400, Michael Richardson wrote:
> >>>>> "Rodney" == Rodney Dawes <dobey.pwns at gmail.com> writes:
>     >> How can a type be "safe" or "unsafe"? Safeness depends on the
>     >> application.  E.g. a python script is safe if you open it with a
>     >> text editor, but not if you use a python interpreter.
>     >> 
>     >> Perhaps applications that are designed to handle untrusted data
>     >> safely could be flagged as such in their .desktop files?
> 
>     Rodney> What about trusted applications with security flaws, that
>     Rodney> handle "trusted" types? A tar.gz might be considered "safe",
>     Rodney> but could expose a security flaw in gzip.
> 
>   That's a bug.
>   There are always bugs.
> 
>   A python script which can run "rm -rf /", is a feature.
>   It will always do that.

Bug or not, the level of safety there must be determined by the user.
One user's safe, is another user's ZOMG! No amount of software
abstraction is going to change that. It just seems silly to me that we
keep trying to write software to be smarter than the user, rather than
just writing software that works for the users. While the majority of
people on the planet don't know what a python script is, it still will
be very annoying to have to click through an extra dialog every time I
want to view a python file on web svn.

One very important design heuristic that should be followed here is
"Always let the user feel in control." If the user doesn't feel like
she can control what's happening, the software is going to be an
annoyance more than an assistance.  Inciting fear with a pop-up stating
that a file might contain malicious code, for only a small subset of
the possible files that might do so, doesn't actively make the situation
any better.

Why not have magic matches for known malicious data in files, instead of
just blanketing whole mime types? Doing that would take care of even
files we think we might trust, like JPEGs, without being overly
intrusive in the UI, when not necessary. Because, really, by definition,
any file not explicitly created by the user, should be considered as
potentially unsafe. And even some files created by the user, should be
considered unsafe, because we don't know if the software that created
it is safe.


-- dobey




More information about the xdg mailing list