[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Proposal: new fsfs.conf properties

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Wed, 12 Jul 2017 13:37:07 +0000

Branko Čibej wrote on Wed, 12 Jul 2017 12:09 +0200:
> I wasn't really proposing to use libmagic on the server. My point is
> that instead of using file name suffixes (which the compression and
> deltification code don't know about), we'd do some sort of inspection
> instead. Detecting ZIP files, or gzip/bzip2/xz-compressed files, etc.,
> is fairly easy just from looking at a few bytes of headers. Same goes
> for most image and video formats.

That's an option, but it would mean re-solving the problem libmagic
solves. Is there a way for us to use libmagic securely?

E.g., we could give to libmagic only the first 10 or 20 bytes of the
file (which is enough for it to recognise mpeg/jpeg/xz files, in my
testing), or we could ask libmagic to provide an API that only runs
'safe' magic file tests (e.g., strcmp/memcmp-based tests only)…

Cheers,

daniel
Received on 2017-07-12 15:37:14 CEST

This is an archived mail posted to the Subversion Dev mailing list.