how important is it to serve the mime-types?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

how important is it to serve the mime-types?

Post by daedalus__ »

im playing around with writing a template engine. i want it to be concise but powerful, and secure. don't pretend i know what im talking about for one second either.

anyways, my brain is telling me it is important to serve the correct mime-type. i know you can set it through apache or php with headers or even meta tags or whatever.

what im wondering is how this applys to security? is it important to serve correct content-types?

im kind of thinking like what if you create a pdf in php well you need a way to say its a pdf right?

or if you want to use a script to serve images or a script to serve downloads. or whatever

i feel like i already answered my own question but if anyone has any comments or advice? or knows of any places the mime-type can be manipulated i should look at?

:) thnkies
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: how important is it to serve the mime-types?

Post by alex.barylski »

As I understand (by no means am I an expert in this matter either) mime-types for security is pointless, it more a matter of letting (probably standards compliant) stupid browsers know which application to load to render a given file type, such as Adobe read for PDF, Excel for XLS, etc.

Nothing really security focused with mime-types, although itès probalby a good practice to get into.

Cheers,
Alex
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: how important is it to serve the mime-types?

Post by josh »

Flash player actually ignores mime types, so if you think you have a .txt file someone might still be able to embed and play it viewtopic.php?f=34&t=109319

I think its real important to consider who will be able to create files, and what kinds. Obviously a guest should not be able to get javascript into the system (even if they renamed it to .jpg)

In the flash player case it is scary because someone could make a valid swf that is also a valid zip, or a valid jpg, so "whitelisting" will not work, instead blacklisting is needed to compensated for Adobe's incompetency.
Post Reply