MIME type for downloading .dot files

If I’m providing downloads of .dot or .gv files from a web application, any opinions on the best MIME-type to apply?

From https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types:

Two primary MIME types are important for the role of default types:

  • text/plain is the default value for textual files. A textual file should be human-readable and must not contain binary data.
  • application/octet-stream is the default value for all other cases. An unknown file type should use this type. Browsers pay a particular care when manipulating these files, attempting to safeguard the user to prevent dangerous behaviors.

Normally, I’d say ‘text/plain’ is sufficient, but maybe ‘application/octet-stream’ provides a little extra security?

Speaking of which, on the other side, i.e. uploads, are there any security vulnerabilities in allowing user input of dot/gv files which immediately go to one of the layout engines (as opposed to saving in a database)?

Good question on mime type. Either would work. Octet-stream will
always be downloaded, while text/plain will render in the browser
unless you set an extra download header.

My 2c: Graphviz is C code with quite a few fuzzer-found bugs we
haven’t had time to fix. I’d try to sandbox it, at least in a separate
process, and ideally in a different user or sandbox, if you’re running
Graphviz with attacker-controlled strings.

1 Like