← Back to team overview

mahara-contributors team mailing list archive

Thread
Date

[Bug 1249858] Re: Mahara can't figure out mime types because of a finfo() bug

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1249858@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Apr 2014 04:11:34 -0000
Reply-to: Bug 1249858 <1249858@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Update: in 1.8, we already trust the file_mime_type() result more than
the browser-supplied mimetype.

So now the way it works is:

1. Use finfo result if available

2. Use file extension if available

3. Use browser mime type if none of those matched

And when using *any* of these mime types, we only accept it if it
matches a mime type in our artefact_file_mime_types table, which comes
from the artefact/file/filetypes.xml file. If it's not a recognized mime
type, we fall back to application/octet-stream.

When serving files up, we always serve the mime type stored in the DB,
i.e. one of the ones from artefact/file/filetypes.xml. And files served
with the HTML mimetype are always sent as force-download, or passed
through htmlpurifier. So, there's not really much of a security threat
from trusting the user-supplied (either the file extension or the
browser mimetype). Thus I think we should continue with trusting those
as a fallback if finfo() fails.

** Changed in: mahara/1.6
Status: Confirmed => In Progress

** Changed in: mahara/1.7
Status: Confirmed => In Progress

** Changed in: mahara/1.8
Status: Confirmed => In Progress

** Changed in: mahara/1.9
Status: Confirmed => In Progress

** Changed in: mahara
Status: Confirmed => In Progress

** Changed in: mahara/1.9
Milestone: 1.10.0 => 1.9.0

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1249858

Title:
Mahara can't figure out mime types because of a finfo() bug

Status in Mahara ePortfolio:
In Progress
Status in Mahara 1.6 series:
In Progress
Status in Mahara 1.7 series:
In Progress
Status in Mahara 1.8 series:
In Progress
Status in Mahara 1.9 series:
In Progress

Bug description:
There have been several notable Mahara bugs based around the fact that
our current handling of mimetypes is broken.

See for instance:
- https://bugs.launchpad.net/mahara/+bug/1220639
- https://bugs.launchpad.net/mahara/+bug/1249166

The problem is this:

1. You can't really trust the mimetype that the browser sends to you, because different browsers send different wacky things
2. Mahara has long used its own function file_mime_type() in lib/file.php for this purpose
3. file_mime_type() preferentially uses finfo() to check the mimetype. But, there's a bug in finfo() with an external magic db, which is how it is distributed on Ubuntu presently: https://bugs.php.net/bug.php?id=61940
4. file_mime_type() falls back to mime_content_type(). But that's now deprecated
5. If neither of those works, we fall back to trusting what the browser told us, which isn't really the best (see #1)

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1249858/+subscriptions

References

[Bug 1249858] [NEW] Mahara can't figure out mime types because of a finfo() bug
From: Aaron Wells, 2013-11-10