[ic] [interchange] Revert "Add image file check mechanism to verify file type before passing to"
JB
jbeima at palb.com
Sat May 14 15:55:27 UTC 2016
Sent from my iPad
> On May 14, 2016, at 8:37 AM, Mike Heins <mikeh at endpoint.com> wrote:
>
> Quoting David Christensen (david at endpoint.com):
>>
>>>> On May 14, 2016, at 7:28 AM, Mike Heins <mike at heins.com> wrote:
>>>>
>>>> Per discussion, this is not Interchange's responsibility.
>>> Since the image tag does call "mogrify", I would argue that it is the Image tag's responsibility.
>>
>> Anyone who would update Interchange from git to fix this would already
>> have the chops to fix the root problem anyway. This is an
>> education/awareness issue, not something we should be working around.
>> We aren't rolling our own TLS layer to fix Heartbleed, for instance.
>> Why is this any different?
>
> Because it makes sense, for all sorts of data integrity reasons, to limit
> a program's input to that which it is intended to service. It is true that
> the spur is a security issue, but the end is noble in and of itself.
>
> The only downside would be a limitation of the program, which might be
> able to handle unanticipated image types, but at this point the universe
> of those types is pretty static.
>
> --
> Mike Heins
> End Point -- Expert Internet Consulting http://www.endpoint.com/
> phone +1.765.253.4194 <mikeh at endpoint.com>
>
> Experience is what allows you to recognize a mistake the second
> time you make it. -- unknown
>
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users
Could I chime in on this one?
Would it also not prevent Image Tragic?
By sanitizing the data?
Another point may be, many applications now "sanitize" the data to prevent SQL injections. Could this not be a way to do that for other attacks?
More information about the interchange-users
mailing list