Author: Alan J. Flavell Date: To: Alexander Sabourenkov CC: Exim users list Subject: Re: [Exim] Re: .eml attachments
On Thu, 18 Jul 2002, Alexander Sabourenkov wrote:
> Nigel Metheringham wrote: > > You've not ventured into the world of windows have you?
>
> No, I just tried to point out a certain false positive.
> Not that I'm not happy ever since I dumped windows in favor of freebsd.
>
> > Extension is everything, bugger the MIME type.
MS's behaviour seems to be even worse than that.
> Extension is nothing, content-type is nothing. They're untrusted user input.
Content-type is the sender's declaration of what the content
represents. It's an important part of the interworking interface.
Yes, sure you should be sceptical of what the sender is offering.
If we were talking HTTP, then RFC2616 says that the sender's
advertised Content-type is authoritative. "If AND ONLY IF" the
content-type is not available, other ways of recognising the content
may be used. That spec doesn't apply "as such" to email, but I still
think the principle is sound. If the sender isn't capable of knowing
what content-type they are sending, then their content isn't worth
having anyway.
> Analyze the content to know what's it.
Good idea - as a security measure; but if it then turns out to be
incompatible with the sender's stated content-type, then something is
wrong. Best move is to declare the content unusable...
Worst move is to assume that the content must be what it appears to
be, irrespective of what the sender claimed it was, and without
bothering to warn the recipient of what's happening and get their
positive confirmation. That way lies madness - and large numbers of
successful viruses.