← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #14970

[Bug 1249858] Re: Mahara can't figure out mime types because of a finfo() bug

  Thread PreviousDate PreviousThread Next 
Here's a brief description of the recommended way to handle filetype of
uploaded files: http://www.peachpit.com/blogs/blog.aspx?uk=Securely-
Handling-File-Uploads-Five-Critical-E-Commerce-Security-Tips-in-Five-
Days

1. Don't let unregistered users upload files (we do this)
2. Store uploaded files outside the webroot and only access them through a proxy script (we do this)
3. Preferably get the filetype from finfo(), which looks at the file contents
4. If you can't do that, use the file extension
5. Don't trust the mimetype, because it's sent by the web client and is therefore hackable and variable.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1249858

Title:
  Mahara can't figure out mime types because of a finfo() bug

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 1.6 series:
  New
Status in Mahara 1.7 series:
  New
Status in Mahara 1.8 series:
  New
Status in Mahara 1.9 series:
  Confirmed

Bug description:
  There have been several notable Mahara bugs based around the fact that
  our current handling of mimetypes is broken.

  See for instance:
   - https://bugs.launchpad.net/mahara/+bug/1220639
   - https://bugs.launchpad.net/mahara/+bug/1249166

  The problem is this:

  1. You can't really trust the mimetype that the browser sends to you, because different browsers send different wacky things
  2. Mahara has long used its own function file_mime_type() in lib/file.php for this purpose
  3. file_mime_type() preferentially uses finfo() to check the mimetype. But, there's a bug in finfo() with an external magic db, which is how it is distributed on Ubuntu presently: https://bugs.php.net/bug.php?id=61940
  4. file_mime_type() falls back to mime_content_type(). But that's now deprecated
  5. If neither of those works, we fall back to trusting what the browser told us, which isn't really the best (see #1)

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1249858/+subscriptions

References

  Thread PreviousDate PreviousThread Next