[GRASS5] 755 on /usr/local/grass-6.1.cvs/docs/html/*.png

Glynn Clements glynn at gclements.plus.com
Mon Jan 30 20:23:18 EST 2006


Maciek Sieczka wrote:

> The *.png files in grass6/dist.i686-pc-linux-gnu/docs/html permissions
> are 755. Wouldn't be 644 enough? 755 is populated
> to /usr/local/grass-6.1.cvs/docs/html on install.

The files are installed using $(INSTALL), where it should be
$(INSTALL_DATA) for data files. I'm just testing the changes; I'll
commit them once they're tested.

An aside:

One consequence of installing "*.png" in the html directory is that
the d.out.png script gets installed there. It isn't a major issue,
although I can think of two potential issues regarding browsing the
directory with a graphical file manager.

1. If the program automatically generates thumbnails for "image" files
(based upon the file's suffix), trying to decode d.out.png may test
the robustness of its PNG decoder.

2. If a user "runs" it, expecting to view a PNG file, but the file
manager detects scripts by the #! marker, they may actually run it. I
don't know whether there would be any adverse consequences.

More generally, GRASS' naming convention (dots in program names) makes
programs like r.out.{png,ppm,tiff} show up as PNG/PPM/TIFF files in
graphical file managers. I suppose it's too late to change that now,
although it might be worth forcing the .exe suffix onto binaries when
compiling on Windows.

Otherwise, there could be reliability or even security issues on
Windows, which is rather inconsistent in how it determines the types
of files. Sometimes it looks at the suffix, sometimes the MIME type
(for HTTP or email), sometimes it looks at the first part of the
file's contents.

This issue has been a constant source of security problems in the
past. Particularly with IE and OE, which will pass files to helper
applications based upon the suffix or MIME type, and the helper then
handles the file according to its contents. This can allow controls on
"unsafe" content types to be bypassed, by supplying unsafe content
with a "safe" suffix and MIME type.

-- 
Glynn Clements <glynn at gclements.plus.com>




More information about the grass-dev mailing list