Open Bug 1063986 Opened 10 years ago Updated 2 years ago

Unknown file starting with NUL NUL SOH NUL parsed as image/x-icon

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Version:
35 Branch
Platform:
x86
Windows XP
Type:
defect

Tracking

()

People

(Reporter: obrufau, Unassigned)

Details

Attachments

(1 file)

demo
4 bytes, application/octet-stream
Details
Attached file demo 
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0
Build ID: 20140906030204

Steps to reproduce:

Create a file starting with NUL NUL SOH NUL. For example, see the attached demo.
Let the file have no extension, or an unknown one.
Open it using the file scheme, or served by a server without Content-Type header.


Actual results:

Firefox attempts to parse the file as an image/x-icon image.


Expected results:

Firefox shouldn't think that an unknown file is an image.

In my case the file was a log file created by Microsoft Tracelog (.etl). It started with those characters and somehow it got opened with Firefox. Confusingly, Firefox said it was a broken image.
A browser tries to detect the filetype if no content-type is available. That detection is not error free and a security risk if done wrong and that is the reason why newer http protocols require that a server sends a content-type header.

The file detection is a complicated task and the unknown content decoder tries various things to detect the filetype. It looks at the url (e.g. http://example.com/test.gif, file:///c:/test.gif) and then at the content of the file itself. 
In some cases magic numbers (http://en.wikipedia.org/wiki/Magic_number_%28programming%29#Magic_numbers_in_files) are used to detect the filetype and in this case you found the magic number for image/x-icon.

The place where it happens is here: http://mxr.mozilla.org/mozilla-central/source/image/src/imgLoader.cpp#2238
BTW: Google Chrome is using the same magic numbers: https://chromium.googlesource.com/chromium/src/net/+/master/base/mime_sniffer.cc (line 229)

Is the detection wrong ? Yes
Is that a bug that should be fixed ? Most likely not

So i suggest to close this as wontfix
Moving to imagelib (the unknown content decoder is in network but the image detection is part of imagelib)
Status: UNCONFIRMED → NEW
Component: Untriaged → ImageLib
Ever confirmed: true
Product: Firefox → Core
Thanks for the explanation.

But I think that if Firefox makes a guess to parse an unknown file, it should notify the user.

Like "remember password", there could appear an icon at the left of the location bar with a message explaining firefox is not sure of type of the file. In that message there should be a way to parse the file again using a custom mime type.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: