So I can have a file evil_applet.jpg that is a valid jpg and also a valid java applet? The website where the file is uploaded will serve the file with a mimetype of jpg.
If I try to force it as an applet on a 3rd party site:
The java plugin should refuse to load it since it doesn't have a java mimetype. I'm guessing from the article that the java plugin will load it anyway, which I believe is a bug in the java plugin.
I don't think the websites should have to try to filter beyond verifying that it's a valid image file. Besides the fact that re-encoding jpg images reduces their quality, it is conceivable that it won't even solve the problem.
In a perfect world, the java plugin would not have this bug, but in the real world it might not be a bad idea for websites to try to filter out this specific attack in order to pretect their users.
I have some guesses about how this works. JAR is basically ZIP, which puts the directory at the end of the file. I guess that GIF (or at least most GIF decoders) has a header at the beginning of the file and will ignore any garbage at the end of a file. Sites can filter this out without recompressing by canonicalizing images; i.e. removing any data that is not necessary for properly decoding the image.
(The OS X spell checker suggests "cannibalizing" instead of "canonicalizing". I guess you could do that, too.)
A PDF file does not become a plain text file just because some berk serves it with "text/plain" and it shouldn't open directly in the browser showing me a stream of gibberish.
A PDF file also does not suddenly become a security risk worthy of blocking at a firewall because some berk served it as "application/x-initech-file" (true story, name changed).
Use the file extension, that's what it's there for. If it's a .gif, don't load and run it as a Java program!
How do you suggest browsers should handle php, asp, aspx, ace, pl and py files then? How would the browser know if the server-generated content is a RSS feed, a image or a HTML page?
Are you seriously suggesting it's the browser which should support whatever scripting backend which is used on the server?
If I try to force it as an applet on a 3rd party site:
<embed type="java" src="http://facebook.com/profiles/12345/evil_applet.jpg">
The java plugin should refuse to load it since it doesn't have a java mimetype. I'm guessing from the article that the java plugin will load it anyway, which I believe is a bug in the java plugin.
I don't think the websites should have to try to filter beyond verifying that it's a valid image file. Besides the fact that re-encoding jpg images reduces their quality, it is conceivable that it won't even solve the problem.
In a perfect world, the java plugin would not have this bug, but in the real world it might not be a bad idea for websites to try to filter out this specific attack in order to pretect their users.