Apps can declare bad UTIs that redefine what a file extension conforms to.
| Originator: | averagejake | ||
| Number: | rdar://10778913 | Date Originated: | 1/30/2012 |
| Status: | Open | Resolved: | |
| Product: | iPhone SDK | Product Version: | N/A |
| Classification: | Serious Bug | Reproducible: | Always |
Summary: Right now it is possible for an App to pollute the UTI space. An app can redefine what a particular, well known, extension conforms to which can have a huge impact on a separate app. I think there needs to be some type of protection from apps that misuse UTI declarations. I am submitting two app that show off what I'm talking about. UTIBadCitizen - This app contains no code other then what the Xcode template contained. All it does is declare a bad UTI in it's Info.plist. Specifically, it declares a custom UTI 'com.utibadcitizen.badtype' that conforms to 'public.text' and 'public.plain-text' with the extensions 'png', 'jpg' and 'zip'. Obviously all of these extensions are associated with well knows types of files and none of them are actually text files. UTITester - This app lets you type in a UTI or a file extension. For a UTI, it will grab it's declaration using UTTypeCopyDeclaration() and also ask if the UTI conforms to kUTTypeText. For a file extension the app will use UTTypeCreateAllIdentifiersForTag() to get all UTIs for the given extension and then preform the previous requests for each UTI returned. This is where the problem comes in. If you enter 'png', 'jpg' or 'zip', one of the UTIs you get back will be 'com.utibadcitizen.badtype' which clams that the types associated with these extension conform to kUTTypeText. Unfortunately there is nothing to stop this kind of app from getting into the iOS App Store. I have run into an issue with one such app. Steps to Reproduce: Declare a bad UTI in one app. In a second app, inspect the file extension associated with the bad UTI in the first app. Expected Results: The bad UTI should not be able to incorrectly redeclare what someone else's UTI conforms to. Actual Results: UTITester may now incorrectly believe that a file with the 'zip' extension conforms to kUTTypeText. Notes: If this can't be fixed mechanically (at compile or runtime) then perhaps it should be screened for during the app review process. It may also be beneficial to educate developers about the side effects that can be caused by declaring a bad UTI or even a good UTI. I'd be willing to bet that the developer who writes these UTIBadCitizen type apps doesn't even realize that they are causing issues for other developers.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!