~sircmpwn/aerc2#474: 
Incorrect MIME type detected for .odt attachment

I used aerc to send an email and I attached a LibreOffice document (.odt). But as it turns out, OpenDocument files are secretly just .zip files (you can verify that with zipinfo), and so golang's DetectContentType function decides to return application/zip. Then if the recipient uses a web client, they will be asked to open the document using an unarchiver. I'm not sure how to deal with this.

Maybe consider using a more robust solution for scanning the MIME type for attachments? Though it seems like there might be security implications, and I'm not an expert on that.

Status
REPORTED
Submitter
gardenapple
Assigned to
No-one
Submitted
a month ago
Updated
a month ago
Labels
No labels applied.

~labrat a month ago

Maybe consider using a more robust solution for scanning the MIME type for attachments? Though it seems like there might be security implications, and I'm not an expert on that.

Looking at https://github.com/gabriel-vasile/mimetype/issues content sniffing is a mess... I don't think that you'll find a "robust" solution out there. There will always be that one edge case, or things like powerpoint that may put the header at the very bottom of the file. No sniffer every reads the full file just for sniffing, imagine attaching multiple large files.

I'm wondering whether we should just default to the extension and /etc/mime.types and only try the sniffing if there's no extension / unknown type.

That would solve most of the problems but introduce others... Now we have an attack surface that we mislabel mime types. Then again, nothing the user couldn't do manually by overwriting the header so I'm not sure we care.

We do introduce the "wrong" mime type as is anyhow.

Opinions?

~labrat a month ago

~gardenapple apply and test https://lists.sr.ht/~sircmpwn/aerc/patches/16001 please. I'd appreciate some feedback on this.

gardenapple a month ago ยท edit

Patch seems to work as expected. OpenDocument and OOXML documents are properly recognized when they have the proper extension. Tested with ProtonMail Android app and Posteo.de web interface. When there is no file extension it works like it did before.

Also tested .jpg and .png and they work with no changes.

This is a big improbement, thanks!

Also, is there an easy way to look at the current list of attachments before sending a document?

Register here or Log in to comment, or comment via email.