RE: Security Breach Alert - CVS Home File Download Area Compromised

[Conrad T. Pino]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Kenneth & Philippe,

The MIME type supplied to the browser is determined by Apache:
http://httpd.apache.org/docs-2.0/mod/mod_mime.html#typesconfig

I run an Apache 2.0.43 server not too different than the Apache
2.0.47 server Collab Net runs on www.cvshome.org site.

The default configuration I used demonstrates "auto magic" file
decompression and an inability to download "*.gz.sig" files.

The following "AddTypes" work with "*.gz" file but the "*.gz.sig"
file is still problematic even though the MIME types changes from
being the "text/plain" default for both to specific values selected
below:

        AddType application/pgp-signature .sig
        AddType application/x-gzip .gz

I now believe we can resolve all the symptoms I've reported by
choosing appropriate MIME type and file extension mappings and
configuring Apache accordingly.

Mark Bauske and Larry Jones put forward this hypothesis and I've
been able to prove some of it.

Here's what Microsoft said about IE and MIME types:
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp

Does the Collab Net team have any suggestions for mapping MIME
types and file extensions to get the popular browsers working
well?

Best regards,

Conrad

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBQfg+4bNM28ubzTo9EQJc5gCg2I8KhKjkk/lUzheVe5Ks3lGHDvcAn1qe
OfImEoZPiBigTkO+M1qLlirh
=Ew4p
-----END PGP SIGNATURE-----