Re: [Hastymail-devel] Re: Security Concerns with HastyMail 1.0.1 (2)
Brought to you by:
sailfrog,
slushpupie
Menu
▾
▴
Re: [Hastymail-devel] Re: Security Concerns with HastyMail 1.0.1 (2)
|
From: Jason M. <ja...@st...> - 2004-08-23 15:59:41
|
On 10:47:01 am 2004-08-23 wechsler <par...@gm...> wrote:
> On Mon, 23 Aug 2004 10:38:57 -0500, Jason Munro <ja...@st...>
> > wrote: So IE simply decides to load the attachment, regardless of
> > the above RFC, unless I am missing something. I just now received
> > an interesting email with some sample code regarding this issue
> > stating that you MUST supply IE with a completely bogus mime type
> > in order to force it to download. If that solves the problem we
> > can do it but I don't like it as a solution very much (damn you
> IE!)
> That'll be me then - thought I'd set this account up to post to the
> list too to avoid having to play chinese whispers.
Yep :)
> AFAIK (while I wasn't clear when I posted this to Jason) you don't
> have to set a *completely* bogus mimetype, but you do have to set one
> that it can't possibly know how to display in the browser or with a
> helper app. The mimetype most commonly recommended is
> "application/octet-stream", but I prefer to avoid that as it looks
> like an executable to both the user and the downloading system - hence
> my preference for a bogus type of down/load - which is a hideous
> kludge, but imparts more useful knowledge to the user without scaring
> the system.
Well this is the source of my confusion. Unless we have a bug in the way we
are sending the HTTP header then this should be application/octect stream,
yet IE just goes and does wtf it feels like I guess. FWIW here is the
relevant section of download.php:
/* send HTTP headers for this part */
header('Pragma: ');
header('Cache-Control: cache');
header("Cache-control: private");
header("Content-type: ".$hm_input['type'].'/'.$hm_input['subtype']);
header("Content-Disposition: filename=\"".trim($hm_input['name'])."\"");
In this case $hm_input['type'] = 'application'
and $hm_input['subtype'] = 'octect-stream'
> I've used this system on a moderate number of sites without problem,
> and spent significant time (without sucess) trying to find a compliant
> alternative. As yet I've seen none.
>
> Also, I think IE is completely RFC-ignorant on this one. Anyone
> surprised?
Not really :)
\__ Jason Munro
\__ ja...@st...
\__ http://hastymail.sourceforge.net/
|