Bugtraq mailing list archives
Re: TXT or HTML? -- IE NEW BUG
From: "Justin Nelson" <security () jm4n com>
Date: Sun, 29 Jul 2001 15:10:57 -0400
In response to:
IE doesn't recognize the extensions of files, which may contain some html code.
and:
It's worse than that - even if you have a cgi script that outputs a content-type of "text/plain" - some (all?) version of IE still...
I've found that IE (4.0 through 5.5) follow a certain pattern for remote files: First it checks the content-type, before any data is looked at. From here it does one of three things: - If this MIME type is handled by an external application (eg, RealAudio), it is passed off to that application. No further checking is done by IE. This also applies to things like PDF, XLS, and other things handled in the browser by an ActiveX/plugin -- but NOT files natively rendered by IE. - If it is something for which no automatic action is defined (EXE, ZIP, etc), and not something IE handles internally, it gives the user a prompt (run/download). - Otherwise, it's recognized by IE as something it should render internally. It is at this point that the "magic" kicks in. **I don't think the actual file extension makes any difference on remote files** Once IE determines that it is responsible for rendering the file directly, it will show it however it feels appropriate. It will do this by completely ignoring the MIME type and extension, rendering based on content (exception: text/html is *always* rendered as HTML, whether or not there are HTML tags). For local files, the extension seems to be the tell-all. A quick test shows that a local TXT file containing HTML is shown as expected (plain old text), and a GIF with HTML shows as a broken image. I have tested the pattern by putting a small amount of HTML in: http://www.jm4n.com/test.txt http://www.jm4n.com/test.html http://www.jm4n.com/test.gif http://www.jm4n.com/test.png http://www.jm4n.com/test.zip http://www.jm4n.com/test.rm These are all the same file (symlinks to test.txt). Note that ZIP, RM, and (duh) HTML are handled correctly as I described. TXT, PNG, and GIF are rendered in the browser as HTML. This fits the pattern. Also note that any of these same files *locally* will do what you would expect - the magic apparently only applies to remote files. PS - Sorry for the long-winded explanation... - Justin Nelson Justin () jm4n com
Current thread:
- TXT or HTML? -- IE NEW BUG cr4zybird (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Stephen Cope (Jul 28)
- Re: TXT or HTML -- IE NEW BUG: not that new, but... eric (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Dylan Griffiths (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG bjarne bingo (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Nathan Neulinger (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Aaron Whiteman (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 30)
- Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Fred Oliveira (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Tom Laermans (Jul 29)
- RE: TXT or HTML? -- IE NEW BUG arivanov (Jul 28)
- RE: TXT or HTML? -- IE NEW BUG Daniel Lukasiak (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Trevor O'Donnal (Jul 28)
- <Possible follow-ups>
- RE: TXT or HTML? -- IE NEW BUG Microsoft Security Response Center (Jul 29)
- RE: TXT or HTML? -- IE NEW BUG Rebecca Kastl (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Oliver Bleutgen (Jul 30)