httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff White" <jlw...@earthlink.net>
Subject Re: [users@httpd] How to get the client to download a file ??
Date Mon, 19 Apr 2004 14:04:02 GMT
From: "Boyle Owen"

> rename the files to something else,
> eg, myfile.sav and set the
> mime-type for these new types of file, eg:
>
> AddType application/octet-stream sav
>
> or
>
> override the default txt mime-type, viz:
>
> AddType application/octet-stream txt
>
> The second is a bit drastic since, from
> then on, any text files will get
> saved and not displayed. Of course,
> you could restrict the scope of this
> directive by placing it in a <Directory> or
> other container... Also, MSIE will probably
> ignore it.
>
> Rgds,
> Owen Boyle

<quote>

When files are served to the client, Internet
Explorer uses the following pieces of information
to decide how to handle the file:

File name extension
Content-Type from the HTTP header (MIME type)
Content-Disposition from the HTTP header
Results of the MIME sniff

In Service Pack 2 for Windows XP, Internet
Explorer requires that all file-type information
that is provided by Web servers is consistent.
For example, if the MIME type of a file is "text/plain"
but the MIME sniff indicates that the file is really
an executable file, Internet Explorer renames the
file by saving the file in the Internet Explorer cache
and changes its extension. (In a MIME sniff,
Internet Explorer examines, or sniffs, a file to
recognize the bit signatures of certain types of
files.)

Why is this change important?
What threats does it mitigate?

If file type information is misreported by the server
and that information is saved to the computer, a file
could be handled incorrectly later. For example, in
the above example, Internet Explorer might download
the file, assuming it is a text file. If the file has the .exe
file name extension, the file might run later without
prompting the user.

Snip

Web developers must change their Web servers to
host files, using consistent headers and file name
extensions.

Snip

By examining (or sniffing) a file, Internet Explorer can
recognize the bit signatures of certain types of files. In
Service Pack 2 for Windows XP, Internet Explorer MIME
sniffing will never promote a file of one type to a more
dangerous file type. For example, files that are received
as plain text but that include HTML code will not be
promoted to the HTML type, which could contain malicious
code.

In the absence of other file type information, the MIME
sniff might be the only information that determines how
to handle a given file download. If, for instance, Internet
Explorer upgrades a text file to an HTML file, the file
might execute code from the browser and possibly
elevate the file's security privilege.

Snip

Web servers that do not include the Content-Type
header with their files and that use non-standard
file name extensions for HTML pages now have
their pages rendered as plain text rather than HTML.

Snip

You should configure Web servers to use the correct
Content-Type headers or you can name the files with
the appropriate file name extension for the application
that should handle the file.

</quote>

There are many other changes included in SP2,
read WinXPSP2_Documentation.doc and other
files for more information.

Windows XP SP2 also back installs and
turns on the HTTP.SYS, the Windows
kernel mode "web server", for Windows
XP and later OSes (default usage on ports
80/445, and covers all ports - SSL enabled).

Welcome to the Windows XP Service Pack 2
Training Course for Developers
http://msdn.microsoft.com/security/productinfo/XPSP2/introduction.aspx

Jeff



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message