Page 1 of 1

how important is it to serve the mime-types?

Posted: Mon Dec 07, 2009 6:22 pm
by daedalus__
im playing around with writing a template engine. i want it to be concise but powerful, and secure. don't pretend i know what im talking about for one second either.

anyways, my brain is telling me it is important to serve the correct mime-type. i know you can set it through apache or php with headers or even meta tags or whatever.

what im wondering is how this applys to security? is it important to serve correct content-types?

im kind of thinking like what if you create a pdf in php well you need a way to say its a pdf right?

or if you want to use a script to serve images or a script to serve downloads. or whatever

i feel like i already answered my own question but if anyone has any comments or advice? or knows of any places the mime-type can be manipulated i should look at?

:) thnkies

Re: how important is it to serve the mime-types?

Posted: Mon Dec 07, 2009 8:59 pm
by alex.barylski
As I understand (by no means am I an expert in this matter either) mime-types for security is pointless, it more a matter of letting (probably standards compliant) stupid browsers know which application to load to render a given file type, such as Adobe read for PDF, Excel for XLS, etc.

Nothing really security focused with mime-types, although itès probalby a good practice to get into.

Cheers,
Alex

Re: how important is it to serve the mime-types?

Posted: Sat Dec 19, 2009 12:07 am
by josh
Flash player actually ignores mime types, so if you think you have a .txt file someone might still be able to embed and play it viewtopic.php?f=34&t=109319

I think its real important to consider who will be able to create files, and what kinds. Obviously a guest should not be able to get javascript into the system (even if they renamed it to .jpg)

In the flash player case it is scary because someone could make a valid swf that is also a valid zip, or a valid jpg, so "whitelisting" will not work, instead blacklisting is needed to compensated for Adobe's incompetency.