GNOME Bugzilla – Bug 134193
Probably shouldn't say "Download the Unsafe file" in download dialog
Last modified: 2005-11-28 00:15:53 UTC
When clicking a tarball the dialog tells me it's an unsafe file. Might be a good idea to change this to unhandled or something similar. It's not an unsafe file and telling the user that all files are unsafe will probably just make him ignore the warning all together.
Would be possible to give me the url of the file ? It's prolly a mime type that is not in the freedesktop db.
Oh if you cant give the url I think wget shows the mime type when downloading ...
Ah, it might just be a local problem. It's any tar.gz or tar.bz2 file. I'll look into my mime-database, it might be screwed up from running from CVS for 7 months without reinstallation. I should really do a full rebuild and whipe my settings.
Prolly not local, we have a script to keep in sync ephy safe/unsafe list with freedesktop. Can you verify if http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/0.8/firefox-0.8-i686-linux-gtk2+xft.tar.gz works correctly for you ? It does for me.
"application/octet-stream" is listed as unsafe. It could be because of that. I have to agree that saying files are "unsafe" is a bad idea, especially with such a large list of "unsafe" types. (I was just told that an ISO image could damage my documents or invade my privacy... I'd like to see it try.) As Mikael said, the evidence from Windows seems to be that if you warn the user about unsafe files enough, they just stop paying attention. And Linux isn't Windows anyway. The main types of problem file on Windows are (a) Office files with evil macros (which are listed as "safe" in epiphany's list), (b) VBscript (which isn't listed as safe or unsafe, but wouldn't affect us anyway), and (c) executables, which are unsafe on Windows because it moronically offers to run random files you downloaded off the net, which no Linux app that I am aware of does. So this code seems to trying to protect users from security problems that don't really exist. At any rate, it seems like if you're going to keep this warning, you should move all of the compression and archive types (gzip, bzip, tar, etc) to the "unsafe" list, since otherwise hax0rs will be able to trick unsuspecting users into downloading dangerous Nintendo 64 ROMs, TeX fonts, and Quicken data files by gzipping them first. ;-)
The list certainly need tweaking, I'm not sure we can get rid of it completely though. There are for example scripts that would we automatically executed, if I remember correctly.
I also need to check what we do for unknown types. Since we dont execute them anyway, the unsafe dialog should not be showed (I'm convinced Mikael case is actually this one)
Marco: The file you pointed to works fine in my epiphany. Might be the returned type the server said that caused the problem. Btw, what do you mean that scripts gets called automatically? That's sounds way evil and imho should never happen, I think it's safe to require that you download a script and then manually have to run it.
>what do you mean that scripts gets called automatically? For example java bytecode is associated to java executable, windows executable are associated to wine. So open it with the associated application would execute them in these cases ...
If that's true, this really needs to be dealt with at the gnome-vfs level (assuming that's where those mappings are). Otherwise other apps that use the gnome-vfs mime db will have security problems. (Eg, if you get mailed a windows virus, evolution would offer to open it for you in Wine???)
See http://cvs.gnome.org/bonsai/cvsblame.cgi?file=gnome-mime-data/gnome-vfs.keys.in&rev=&root=/cvs/gnome In general I agree (though because of autodownloads the problem is much more critical in epiphany). I guess they was added so that you could run windows/java executable from nautilus but they certainly introduce problems. If they need to stay, there should be a way for the applications to make a distinction between normal handlers and handlers that run executable code.
This should be a lot saner in cvs. Leaving it open since we need to have something that works system wide at some point.
And just to confirm, after upgrading to the latest gnome-vfs and shared-mime-info, evolution does offer to open windows viruses in Wine. Sweet!
Oh if you see this again with cvs please report the url.
Mass reassigning of Epiphany bugs to epiphany-maint@b.g.o
I've had trouble with this too. Go to http://www.thedailywtf.com/forums/26911/ShowPost.aspx and click on the screenshot to download it. Epiphany says the file is unsafe, even though it's *clearly* labelled as: Content-Type: image/x-png Content-Disposition: attachment; filename="amazon-million.png" ...which look safe to me. ;)
Comment #16 actually looks like a different problem, with Content-Disposition: attachment being abused. I assume image/x-png is already in the "safe" mimetypes list? If not, it should probably be added. Otherwise, is there a reason to keep this bug open?
Marking duplicate of 170493 since it has a bit more info. *** This bug has been marked as a duplicate of 170493 ***