[Yanel-dev] [Bug 7279] New: YanelServlet.guessMimeType(String
extension) has no secure alternative
bugzilla at wyona.com
bugzilla at wyona.com
Fri Sep 25 18:24:39 CEST 2009
http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=7279
Summary: YanelServlet.guessMimeType(String extension) has no
secure alternative
Product: Yanel
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: critical (A)
Priority: P1
Component: Security
AssignedTo: michael.wechner at wyona.org
ReportedBy: guillaume.deflache at wyona.com
QAContact: yanel-development at wyona.com
YanelServlet.guessMimeType(String extension) is used in some projects when
uploading files to check that the given file is of the correct type.
The problem is that this is not secure: malicious users can introduce crafted
files into the system or unknowing users can do that on behalf on some
malicious 3rd-party that crafted a harmful file which the user may want to
upload.
We should provide an additional getMimeType(InputStream) method and add a note
about this issue in the javadoc of both methods.
For implementation we could reuse one of these:
-
http://lucene.apache.org/nutch/apidocs/org/apache/nutch/util/mime/MimeTypes.html
- http://www.medsea.eu/mime-util/
- also maybe http://commons.apache.org/fileupload/ has something useful
But rather look (but *do not post about this on the thread* there as this
security issue should remain private) at
http://lists.wyona.org/pipermail/yanel-development/2009-September/004069.html
for more details.
--
Configure bugmail: http://bugzilla.wyona.com/cgi-bin/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Yanel-development
mailing list