-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rémy,
On 10/31/18 12:37, Rémy Maucherat wrote:
> There are two main contraptions in Tomcat that do (badly ...)
> extension to mime type mapping: the shared web.xml and some
> hardcoded stuff in startup.Tomcat.
It would probably be good to unify all that code, regardless of what
else we do.
> While we should obviously have support for user configured mime
> types in web.xml, as it's the spec, there should be a possibility
> to use Files.probeContentType as the fallback when a mime type
> isn't found (and maybe also have an option to disable it ? -
> although I don't quite see why it would bother anyone).
Why bother even doing that? File-extension mapping is a poor way to
perform file-type detection (in fact, it is NOT file type detection),
but the spec mandates it, so we are stuck.
But why bother providing container-managed file-type detection? Seems
like useless cruft to me.
> After looking at its implementation, it looks into all mime type
> locations we might want (the OS, a mime.types file, etc). The only
> problem is that it uses a Path (that would be an issue since it's
> super tied to a real filesystem), but thankfully it mostly uses
> toString and thus can be worked around using a new fake Path
> implementation.> The code calling Files.probeContentType could be
> inserted here in DefaultServlet:
>
> // Find content type. String contentType = resource.getMimeType();
> if (contentType == null) { contentType =
> getServletContext().getMimeType(resource.getName()); --->
> resource.setMimeType(contentType); }
>
> And then all the badly maintained content from web.xml and the
> Tomcat class can be deleted.
>
> Comments ?
Even a benign library like libmagic has had a bunch of
vulnerabilities[1] over the years: provide a specially-crafted file
and you can do Bad Things.
If applications want to do this to themselves, why not let them do it
independently?
- -chris
[1]
https://www.cvedetails.com/product/22647/Tim-Robbins-Libmagic.html?vendo
r_id=12061
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvbAOAACgkQHPApP6U8
pFg5gw/9EfWNeXueSYS4bwHRR4IYA3COPGRuuepayAABIEOTNO1ZY1O+KZu39y/t
52GxR6tl6WvJxJ3FXkgqP9QrEAIAiDQwNTqj2OsragyFiE5jnIj5lRsZER9JWJmy
fjKRAMV3UOqSOYceU0PaXGOmnije5IU3rhO/ZQIMcZToXPPevI8RyM1QPpGDQGvt
9y1OkVfeaHcaIQuYEN/ue0u3U4ARt/s4JwkSf1LJCIqgc5on4Cj/pAtcDOhSG4cN
ILsJmcuJDsbPaaBp8VkNw6gaQsMitZ8H8cAtovkMB8RdpSpgtL/EeN4NTdDaXgoR
EzP5hrhrx20jpgLjVfLW1NI/7F+Ek+IYHwUdNcAy2oDQaEO8tVeRh9D0O8V8Dk+T
czFgoSq0MajlmWSzlRSCmhGVd7xxaYhaVH0PThTMLVKkF/QWafzrZQZXJ30oLXQv
iDnvJ5rXP87WamtSlXL+KvDTJSK8stJwCZAFRJEz67hxTSKG60yByvN134yP4E4i
4TdXGmvHnexqdPJ7/+Eymf6ESgAEW0IuH2DHnWaKQGtc2TZeLSK1Gp4m9zjS0Ojl
wsWwgiO4vDFddLZZvoa1shnE964uufES/DLe92TbnfIpRk6GoT85tlojKSMDsBhV
56ce0jWim4c7mf9QGbe25Hf/rf6ooCRwj2TU/WBUy+aYg+v2xH4=
=caWD
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
