On Jan 22, 2009, at 10:13 AM, Thomas Bruederli wrote:
I tend to switch back and just trust the mime-type submitted by the client (when uploading).
Hmmm, that made my security radar do a beep. Trusting user input isn't always safe.
An example with non-serious consequences : In a application I built, I had a simple check for a file type, and refused uploads if the file didn't meet our requirements. Users would simply re-name the file with a different extension, which would make the browser report the required mime type.
I had to add a check that used something like ' file -ib ' to make sure something goofy wasn't going on.
It seems fileinfo - libmagic has a bit of a hard time with Microsoft
formats,
which are common e-mail file attachments. This may be why
the comment :
That server-side mime-type detection seems to cause more problems than solving them.
My application referenced above required a file type far different from Word, Excel, etc. so I didn't run into problems.