Re: [Hastymail-devel] Re: Security Concerns with HastyMail 1.0.1 (2)
Brought to you by:
sailfrog,
slushpupie
From: Jason M. <ja...@st...> - 2004-08-23 15:59:41
|
On 10:47:01 am 2004-08-23 wechsler <par...@gm...> wrote: > On Mon, 23 Aug 2004 10:38:57 -0500, Jason Munro <ja...@st...> > > wrote: So IE simply decides to load the attachment, regardless of > > the above RFC, unless I am missing something. I just now received > > an interesting email with some sample code regarding this issue > > stating that you MUST supply IE with a completely bogus mime type > > in order to force it to download. If that solves the problem we > > can do it but I don't like it as a solution very much (damn you > IE!) > That'll be me then - thought I'd set this account up to post to the > list too to avoid having to play chinese whispers. Yep :) > AFAIK (while I wasn't clear when I posted this to Jason) you don't > have to set a *completely* bogus mimetype, but you do have to set one > that it can't possibly know how to display in the browser or with a > helper app. The mimetype most commonly recommended is > "application/octet-stream", but I prefer to avoid that as it looks > like an executable to both the user and the downloading system - hence > my preference for a bogus type of down/load - which is a hideous > kludge, but imparts more useful knowledge to the user without scaring > the system. Well this is the source of my confusion. Unless we have a bug in the way we are sending the HTTP header then this should be application/octect stream, yet IE just goes and does wtf it feels like I guess. FWIW here is the relevant section of download.php: /* send HTTP headers for this part */ header('Pragma: '); header('Cache-Control: cache'); header("Cache-control: private"); header("Content-type: ".$hm_input['type'].'/'.$hm_input['subtype']); header("Content-Disposition: filename=\"".trim($hm_input['name'])."\""); In this case $hm_input['type'] = 'application' and $hm_input['subtype'] = 'octect-stream' > I've used this system on a moderate number of sites without problem, > and spent significant time (without sucess) trying to find a compliant > alternative. As yet I've seen none. > > Also, I think IE is completely RFC-ignorant on this one. Anyone > surprised? Not really :) \__ Jason Munro \__ ja...@st... \__ http://hastymail.sourceforge.net/ |