mahara-contributors team mailing list archive

[Aaron Wells <1564715@xxxxxxxxxxxxxxxxxx>]

For comparison, Mahara's current system is basically:

1. Examine the file suffix of the file and see if it matches one in our list
2. If that doesn't work, try it using the PHP finfo() command (which relies on libmagic's "magicdb" file)
3. If finfo is not available, or we can't find the magicdb file, try it using the PHP mime_content_type() command (which relies on the system's "magic.mime" file.
4. If that doesn't work, return the generic "application/octet-stream".

We also try to mitigate the possible threat posed by incorrect
Mimetypes, by adding "Content-Disposition: attachment" to files unless
they're being served inline (like the "src" of an image tag, or an HTML5
audio/video), to try to prevent the browser from handling the file
directly.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1564715

Title:
  Change Mahara's content-sniffing to match the WHATWG standard

Status in Mahara:
  New

Bug description:
  WHATWG (Web Hypertext Application Technology Working Group) is
  basically the official specification organization for HTML5. They've
  written up some specifications about the correct & secure way that
  HTTP clients & servers ought to deal with file content types aka MIME
  types: https://mimesniff.spec.whatwg.org

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1564715/+subscriptions