[Zope] ExtFile - wrong file extension and content_type
Michael Vartanyan
pycry at doli.biz
Tue Feb 7 17:27:46 EST 2006
Which version of ExtFile are you using? Which OS? ExtFile has some
strange hacks to guess the extension it should use. If it is unable to
determine the content type from the upload, it would set in to
"application/octet-stream" (which is OK so far), and then pass this
wrong finding to guess_extension function of mimetypes module chances
are that it will return .obj as extension. Whatever. But then ExtFile
does the following:
mime_ext = guess_extension(content_type or self.content_type)
if mime_ext is not None:
if mime_ext in ('.jpeg', '.jpe'):
mime_ext = '.jpg' # for IE/Win :-(
if mime_ext in ('.obj',):
mime_ext = '.exe' # b/w compatibility
if REPOSITORY_EXTENSIONS == MIMETYPE_APPEND:
id_name = id_name + id_ext
id_ext = mime_ext
well. I would really like to know what does this "b/w" mean in this
context? Not black&white for sure :-). The good news is that you can
simply change this .exe into whatever you like, the name of the
repository file really doesn't matter and I agree .exe is a scary
choice, especially if you are using one very popular operating system.
Regards
Michael
P.S. Looks like a warm/backdoor actually ;-) heh, Gregor? ;)
Palermo, Tom wrote:
> All,
>
> I am working on a project using ExtFile. Lately, when uploading MS
> Word files, they get uploaded to the file system as .exe files (eg.
> test.doc becomes test.exe) and the content_type is set to
> application/octet-stream instead of application/msword. Sometimes the
> content_tpye is correct but the file extension is still set to .exe.
> Does anyone know what could be causing this? Is there a config setting
> in ExtFile that's doing this? Any ideas would be much appreciated.
>
> Thanks,
> Tom
More information about the Zope
mailing list