unofficial mirror of meta@public-inbox.org
 help / color / mirror / Atom feed
* MIME types for image attachments
@ 2020-11-07 19:10 Leah Neukirchen
  2020-11-07 20:39 ` Eric Wong
  0 siblings, 1 reply; 5+ messages in thread
From: Leah Neukirchen @ 2020-11-07 19:10 UTC (permalink / raw)
  To: meta

Hi,

I just noticed this on a plain public-inbox 1.6.0 installation:

https://inbox.vuxu.org/9fans/8F5F1B4BCF0E2F1DA17BDFBF06430DC7@abbatoir.fios-router.home/T/#u
> [-- Attachment #2: Type: image/png, Size: 56860 bytes --]

However, when I click on it:

% curl -I https://inbox.vuxu.org/9fans/8F5F1B4BCF0E2F1DA17BDFBF06430DC7@abbatoir.fios-router.home/2-a.bin
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sat, 07 Nov 2020 19:08:48 GMT
Content-Type: application/octet-stream
Content-Length: 56860
Connection: keep-alive

Any reason this is not served as image/png?  I don't think serving
image/* types is particularily dangerous, and it easily allows looking
at attached images from the browser.

Thanks,
-- 
Leah Neukirchen  <leah@vuxu.org>  https://leahneukirchen.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-11-23 14:15 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-07 19:10 MIME types for image attachments Leah Neukirchen
2020-11-07 20:39 ` Eric Wong
2020-11-08  0:05   ` Leah Neukirchen
2020-11-08  7:49     ` [PATCH] wwwattach: set "Content-Disposition: attachment" Eric Wong
2020-11-23 14:15       ` [PATCH v2] wwwattach: prevent deep-linking via Referer match Eric Wong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).