# Location directive not working

## dE_logics

```
<Location "private/*">

Defaulttype application/pdf

ForceType application/pdf

AcceptPathinfo on

</Location>
```

I open http://old_broken_lap/private/compressed.zpaq, and the mime type is 'BIN'... overall everything in this container is ignored.

Edit -- And yes, in Apache.

----------

## krinn

it might get clear in your mind what you are showing us, and i think you're speaking about apache, but this might not be the case, many programs could use that location keyword in a config file

So, is that apache ?

And for your trouble, even you "can" (i'm not sure you can, but i think it's what you are trying to do) force a directory to have all its files mime type define as pdf, this won't proof it could work on a brower that would be smart enough to not trust what the mime type the file is, but guess it itself.

Lol, i would expect only internet explorer to trust a file type on its extension or from what the server is telling.

I would expect a decent browser to find itself the mimetype of the file when it look at it, just to get sure i'm not fake on the file type i'm trying to handle, and certainly not trusting what a "hacked/forged/virus" webserver is telling me.

Just to say that (still if it's apache) maybe apache is telling your browser the file is pdf but your browser is telling you the file is a binary because, well, just because the file is a binary and the browesr don't care what the server is telling the file is.

----------

## malern

Try

```
<Location "/private/*">
```

(note the slash at the start)

 *Quote:*   

> Lol, i would expect only internet explorer to trust a file type on its extension or from what the server is telling. 
> 
> I would expect a decent browser to find itself the mimetype of the file when it look at it

 

Actually I think Internet Explorer is one of the few browsers that doesn't respect the mime type and tries to guess for itself. Most decent browsers trust what the server is telling it.

----------

## Hu

To extend on malern's comment with regard to MIME type sniffing: autodetection is a terrible idea, because it makes it more difficult for web proxies to accurately enforce type-specific policy.  Suppose you hear about another virus that targets Microsoft Office and configure the corporate proxy to block incoming Office files to keep your users safe.  An evil server sends you a file marked as "plain text" that is actually a malicious .doc file.  Your proxy passes it through because it is "text", then the browser decides to be clever and launch Microsoft Office because the file is clearly a .doc file.  If the browser had instead respected the MIME type set by the server, it would render the file on screen.  It would not be readable, but it would not be passed to a vulnerable reader, either.

----------

## dE_logics

 *krinn wrote:*   

> And for your trouble, even you "can" (i'm not sure you can, but i think it's what you are trying to do) force a directory to have all its files mime type define as pdf, this won't proof it could work on a brower that would be smart enough to not trust what the mime type the file is, but guess it itself. 

 

I'm just doing this for experimental purposes.

 *Quote:*   

> And for your trouble, even you "can" (i'm not sure you can, but i think it's what you are trying to do) force a directory to have all its files mime type define as pdf, this won't proof it could work on a brower that would be smart enough to not trust what the mime type the file is, but guess it itself. 

 

No. That doesn't happen. Using force type I set the type of that zpaq file to be a pdf... any file in that case even an image... and firefox was calling it a PDF.

Unfortunately Apache too determines the MIME by the extension. Maybe that happened after it's port to windows.

 *Hu wrote:*   

> To extend on malern's comment with regard to MIME type sniffing: autodetection is a terrible idea, because it makes it more difficult for web proxies to accurately enforce type-specific policy. Suppose you hear about another virus that targets Microsoft Office and configure the corporate proxy to block incoming Office files to keep your users safe. An evil server sends you a file marked as "plain text" that is actually a malicious .doc file. Your proxy passes it through because it is "text", then the browser decides to be clever and launch Microsoft Office because the file is clearly a .doc file. If the browser had instead respected the MIME type set by the server, it would render the file on screen. It would not be readable, but it would not be passed to a vulnerable reader, either.

 

Nice way to compromise Windows fools.

----------

