The dangerous, exquisite art of safely handing user-uploaded files: Tom Eastman (was: Does This Scare You?)

Mon Aug 22 11:56:49 EDT 2016

On Mon, Aug 22, 2016, at 11:40, Chris Angelico wrote:
> Windows has some other issues, including that arbitrary files can
> become executable very easily (eg if %PATHEXT% includes its file
> extension), and since the current directory is always at the beginning
> of your path, this can easily turn into a remote code execution
> exploit.

I didn't include dot in my example whitelist, and there's no mechanism
for an attacker to add random extensions to your PATHEXT.

> And any GUI that automatically calculates thumbnails from
> image files (this includes Windows, Mac OS, and more than one Linux
> window manager) could potentially be attacked via a malformed file,
> simply by having it appear on the file system.

This has nothing to do with the filename, unless you additionally assume
that this will only happen if the file is called .jpg