Mark Sapiro writes: > >Other people think pdfs are ok (except some are too big for old machines > >to donwload). > > > >I also heard that a virus file could take on a fake extention, like .pdf, > >and fool people. > > As far as fake extensions/MIME types are concerned, it is entirely > possible to put malware in a text/plain part with a .txt extension. > The question is what will the MUA or the file manager do with that > file when you try to open it. In other words, if the virus comes with > a faked benign extension, it is unlikely that the application that > opens the file will actually execute the viral code.
Unfortunately, this is false. One of the reasons that Windows has a bad security rep as a workstation OS is that firewalls would decide on the basis of MIME Content-Type or file name extension that a file was harmless, IE would decide it couldn't handle it internally and pass it on to some other program, which would look not at the alleged file type but at the file's magic, which indicates that it's executable (either natively or via an interpreter), and then execute it. Boom! you're owned. All known holes of this type have been closed, of course, but AFAIK Windows still operates in the above way, so new holes could open at any time as new programs are registered for various files types. Once those are discovered, the white hats will target them, so the probability that some of your users will get caught by an unclosed hole is pretty high. This kind of feature is becoming more common in Unix-like systems too. > I'm not saying one should be complacent. Indeed. Despite the above, I would advocate slight paranoia in most cases, not total Fear and Loathing. > I would recommend not allowing anything but plain text and perhaps > a few carefully considered image and/or PDF types if the list's > purpose requires it on a list with open subscription. On the other > hand, if the list is closed and you know the members, you might be > safe with no content filtering at all. Sounds good to me. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org