mahara-contributors team mailing list archive

[Aaron Wells <1302251@xxxxxxxxxxxxxxxxxx>]

What should we do to fix this? Well, probably the best thing is to just
copy the Moodle approach. They only use the file extension to identify
files, and they have a pretty large list of known file types.
Additionally, we could make this user-extensible, allowing sites to
identify other types of obscure or unusual files that their students are
uploading.

My only worry is whether this might have any security ramifications. But
I think we're pretty safe, because of the limited number of mimetypes
that we serve the content back out as. Additionally, we provide the
option to pass file uploads through clamav, which should pick up any
malicious file uploads.

If trusting the file extension is in general a security issue, then what
we could do is just have a list of extension-based exceptions. For
instance, if the mimetype detected is zip, then we check the file
extension and see that a zip that ends in .docx should be treated as a
Word document rather than a zip file.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1302251

Title:
  MS Office files being seen as zip archives

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  Now that we've got file_mime_type() working with the PHP fileinfo
  library correctly, it has caused a problem. Microsoft Office 2007+
  "docx" files are recognized as zip archives by fileinfo!

  So when users upload a .docx file into Mahara, they see a ZIP icon,
  and they have the option to decompress the archive. Which they should
  not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1302251/+subscriptions