Tuesday, 1st July 2008
Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter.
Delighting with Data. Tom Taylor’s full transcript and slides for his recent talk at Oxford Geek Night—talks about Twitter bots, wikinear, iamnear.net and various other small but neat data repurposing projects.
Whitespace Sensitivity. Amusingly, Ruby is actually far more sensitive about whitespace than Python is.
"Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure - or more polite.
Poking new holes with Flash Crossdomain Policy File. This is an old article from 2006 which describes the crossdomain.xml hidden in a GIF exploit I referred to in an earlier post (scroll down to the appendix for an example). As far as I know the Flash Player’s crossdomain.xml parser has been tightened up since.
Django File Uploads (via) Nearly two years in the making, Django’s file upload capacity has received a major (and backwards incompatible) upgrade. Previously, files were uploaded by default in to RAM—now, files larger than 2.5MB are streamed to a temporary file and extensive hooks are provided to customise where they end up—streaming to S3, for example.