Simon Willison’s Weblog

Subscribe

Tuesday, 1st July 2008

Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter.

# 8:58 am / xss, security, validation, uploads, pngs, crossdomainxml, gifs, javaapplets, applets

Delighting with Data. Tom Taylor’s full transcript and slides for his recent talk at Oxford Geek Night—talks about Twitter bots, wikinear, iamnear.net and various other small but neat data repurposing projects.

# 1:24 pm / fireeagle, iamnear, oxfordgeeknight, tom-taylor, wikinear

Whitespace Sensitivity. Amusingly, Ruby is actually far more sensitive about whitespace than Python is.

# 2:50 pm / armin-ronacher, python, ruby, whitespace

"Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure - or more polite.

Bruce Schneier

# 2:51 pm / marketing, security, bruce-schneier

Poking new holes with Flash Crossdomain Policy File. This is an old article from 2006 which describes the crossdomain.xml hidden in a GIF exploit I referred to in an earlier post (scroll down to the appendix for an example). As far as I know the Flash Player’s crossdomain.xml parser has been tightened up since.

# 4:12 pm / crossdomainxml, flash, gif, security

Django File Uploads (via) Nearly two years in the making, Django’s file upload capacity has received a major (and backwards incompatible) upgrade. Previously, files were uploaded by default in to RAM—now, files larger than 2.5MB are streamed to a temporary file and extensive hooks are provided to customise where they end up—streaming to S3, for example.

# 5 pm / django, fileuploads, s3, uploads

2008 » July

MTWTFSS
 123456
78910111213
14151617181920
21222324252627
28293031