From 84d831f049ee2e3c17d70d8bf957c5d62d6238ed Mon Sep 17 00:00:00 2001 From: Gordon Messmer Date: Fri, 20 Mar 2026 13:14:36 -0700 Subject: [PATCH] Disable decompression in mod_mime_magic by default --- docs/manual/mod/mod_mime_magic.xml | 60 ++++++++++++++++++++++++++++++ modules/metadata/mod_mime_magic.c | 34 +++++++++++++++-- 2 files changed, 91 insertions(+), 3 deletions(-) diff --git a/docs/manual/mod/mod_mime_magic.xml b/docs/manual/mod/mod_mime_magic.xml index bd79868a4e2..18ff7d26333 100644 --- a/docs/manual/mod/mod_mime_magic.xml +++ b/docs/manual/mod/mod_mime_magic.xml @@ -271,4 +271,64 @@ using the specified magic file + +MimeMagicDecompression +Enable decompression of compressed files for MIME type detection +MimeMagicDecompression On|Off +MimeMagicDecompression Off +server configvirtual host + + + +

The MimeMagicDecompression directive controls + whether mod_mime_magic will attempt to decompress files + that appear to be compressed (gzip, compress, etc.) in order to determine + the MIME type of the uncompressed content. This feature is disabled + by default and should only be enabled if you understand the + significant drawbacks. It exists to maintain backward compatibility with + previous releases of httpd, but its use is discouraged.

+ + Security and Compatibility Issues +

This feature has several serious flaws and is disabled by default:

+
    +
  1. Not RFC-compliant: Standards documents consistently + recommend against setting Content-Encoding for files that are already + compressed (such as .zip or .gz files). See + RFC 9110.
    2. + +
  2. Breaks content integrity: When Content-Encoding is set, + most HTTP clients will decompress the file before writing it to disk. This + causes the downloaded file to have a different size and checksum than the + original, breaking signature verification and checksum validation. Software + distribution sites will find this particularly problematic.
    3. + +
  3. Unpredictable behavior: This feature only applies to + files that don't match a MIME type via file extension. This can lead to + inconsistent behavior where some files in a directory are affected and + others are not, making problems difficult to diagnose.
    4. + +
  4. Performance impact: Decompression requires forking and + executing an external gzip process for each compressed file, + which adds significant overhead.
    5. + +
  5. Security risk: Passing untrusted uploaded file data to + an external binary (gzip) could potentially expose the server to + compression bombs, resource exhaustion, or remote code execution + vulnerabilities in the decompression tool.
    6. +
+ + + Example (not recommended) + +# Only enable if you fully understand the risks +MimeMagicDecompression On + + + +

In most cases, it is better to ensure files have proper extensions + that can be mapped via mod_mime rather than relying on + this feature.

+ + + diff --git a/modules/metadata/mod_mime_magic.c b/modules/metadata/mod_mime_magic.c index 05585ba7764..36833f4db28 100644 --- a/modules/metadata/mod_mime_magic.c +++ b/modules/metadata/mod_mime_magic.c @@ -456,6 +456,7 @@ typedef struct { const char *magicfile; /* where magic be found */ struct magic *magic; /* head of magic config list */ struct magic *last; + int decompression_enabled; /* whether to decompress files for content detection */ } magic_server_config_rec; /* per-request info */ @@ -472,8 +473,11 @@ module AP_MODULE_DECLARE_DATA mime_magic_module; static void *create_magic_server_config(apr_pool_t *p, server_rec *d) { + magic_server_config_rec *conf; /* allocate the config - use pcalloc because it needs to be zeroed */ - return apr_pcalloc(p, sizeof(magic_server_config_rec)); + conf = apr_pcalloc(p, sizeof(magic_server_config_rec)); + conf->decompression_enabled = 0; /* disabled by default */ + return conf; } static void *merge_magic_server_config(apr_pool_t *p, void *basev, void *addv) @@ -484,6 +488,7 @@ static void *merge_magic_server_config(apr_pool_t *p, void *basev, void *addv) apr_palloc(p, sizeof(magic_server_config_rec)); new->magicfile = add->magicfile ? add->magicfile : base->magicfile; + new->decompression_enabled = add->decompression_enabled; new->magic = NULL; new->last = NULL; return new; @@ -502,6 +507,19 @@ static const char *set_magicfile(cmd_parms *cmd, void *dummy, const char *arg) return NULL; } +static const char *set_decompression(cmd_parms *cmd, void *dummy, int arg) +{ + magic_server_config_rec *conf = (magic_server_config_rec *) + ap_get_module_config(cmd->server->module_config, + &mime_magic_module); + + if (!conf) { + return MODNAME ": server structure not allocated"; + } + conf->decompression_enabled = arg; + return NULL; +} + /* * configuration file commands - exported to Apache API */ @@ -510,6 +528,13 @@ static const command_rec mime_magic_cmds[] = { AP_INIT_TAKE1("MimeMagicFile", set_magicfile, NULL, RSRC_CONF, "Path to MIME Magic file (in file(1) format)"), + AP_INIT_FLAG("MimeMagicDecompression", set_decompression, NULL, RSRC_CONF, + "Enable decompression of compressed files for content type detection " + "(Off by default). WARNING: This feature is NOT RFC-compliant, can be " + "unpredictable, breaks content integrity (clients will decompress files " + "causing checksum mismatches), impacts performance (fork/exec overhead), " + "and is unsafe (passes untrusted data to external gzip binary). " + "Use only if you understand these risks."), {NULL} }; @@ -878,10 +903,13 @@ static int magic_process(request_rec *r) static int tryit(request_rec *r, unsigned char *buf, apr_size_t nb, int checkzmagic) { + magic_server_config_rec *conf = (magic_server_config_rec *) + ap_get_module_config(r->server->module_config, &mime_magic_module); + /* - * Try compression stuff + * Try compression stuff (only if decompression is enabled) */ - if (checkzmagic == 1) { + if (checkzmagic == 1 && conf && conf->decompression_enabled) { if (zmagic(r, buf, nb) == 1) return OK; }