I thought file extensions were pretty simple – just a period followed by three letters. Whats the “superfluous extension data” at issue here ?
As most commonly used, a file extension consists of a period followed by three letters and comes at the end of a filename or URL. However, that’s not the only way extension data can be used. There’s considerable flexibility regarding how and where extensions can be used, especially within an URL. In theory it would be acceptable for an URL to contain multiple extensions located throughout the URL, e.g., http://www.microsoft.com/folder1.vti/folder2.doc/file.txt.zip. Each of the extensions might tell the server how the data in a particular folder or file should be processed, and in what order. The “superfluous extension data” at issue here is bogus file extension data that’s inserted into an URL simply for the purpose of forcing the algorithm to spend time parsing it. As currently implemented, the work factor increases non-linearly with the complexity of the URL. By deliberately sending a highly-complex URL with an extremely large amount of bogus file extension data, a malicious user cou
Related Questions
- I thought file extensions were pretty simple - just a period followed by three letters. Whats the "superfluous extension data" at issue here ?
- I downloaded a file, and it contains the file extensions .rar, .r01, .r02 and others like it. What do I do with it?
- How can I file a complaint in reference to a building permit issue?
