So - has anyone else had a chance to look at the Adobe Flash vulnerability?
http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_site...
It would appear that there is no easy way to handle it short of their suggestion to serve back all user-supplied content from a different domain. I can't see any logical way to accomplish that via Drupal considering the wide range of site sizes and complexities.
Perhaps one method could be strong enforcement of mimetype detection on uploads so people can't get flash content uploaded when it is masquerading as something else. Mimedetect/fileinfo could be helpful here.
The CDN integration module can get your content served from a different site by pushing it there and rewriting URLs. Perhaps this could be extended a bit to also perform local rewriting for user-supplied content in the event the administrator supplies a second domain for serving it from.
Thoughts?
Comments
separate filesystem
There are multiple issues related to serving files from the same domain. File extentions like gzip, zip, html, js, all pose real risks and yet lots of sites want to include those kinds of files. I think the best solution is to use a separate domain just for the files being served by the site which can also let you run a lightweight webserver. Of course, that doesn't help if you use private files...
knaddison blog | Morris Animal Foundation
Mimetype detection on uploads
Mimetype detection on uploads is doomed to fail.