Hi, I was testing the upload feature of Drupal, when I noticed that using Firefox (2.0.0.6) all .pdf files was uploaded with "application/download" mimetype, when using Opera (9.23) all uploads went ok. I checked also the files DB table and in the filemime column for file uploaded with Firefox is stored "application/download".

Maybe would be great if Drupal don't always trust the user mimetype and (if possible) do a secondary test for the uploaded file mimetype using (if enabled) PHP mime_content_type() or another equivalent function. Some info here

Regards

-thePanz-

CommentFileSizeAuthor
#7 file_mimetype_check.d7.patch2.57 KBFreso
#3 file_mimetype_check_D6.patch2.53 KBthepanz
#2 file_mimetype_check_D5.patch2.6 KBthepanz

Comments

thepanz’s picture

thepanz commented

Is there also a Bug report for Firefox that sends wrong MIME type for .pdf files here: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/84880

thepanz’s picture

thepanz commented
Status: Active » Needs work
StatusFileSize
new file_mimetype_check_D5.patch2.6 KB

I created a Patch for Drupal 5.2, needs work to get PECL FileInfo more stable with Lnux and Windows systems

thepanz’s picture

thepanz commented
Version: 5.2 » 6.x-dev
StatusFileSize
new file_mimetype_check_D6.patch2.53 KB

Patch for Drupal6-HEAD

drewish’s picture

drewish commented

the patch needs work. it doesn't follow the Drupal coding standards

thepanz’s picture

thepanz commented
Status: Needs work » Postponed (maintainer needs more info)

I try to follow Drupal-conding standards, maybe I missed something, sorry..

I know that's not the cleanest way to accomplish mime-detecting, and I'd like to hear others suggestions..

Regards

Freso’s picture

Freso commented
Version: 6.x-dev » 7.x-dev

I just made a re-roll of this as well as fixing some style issues. However, cvs diff won't work until #261454: CVS pserver down? is fixed, so... :/

Freso’s picture

Freso commented
Status: Postponed (maintainer needs more info) » Needs review
StatusFileSize
new file_mimetype_check.d7.patch2.57 KB

Here's the re-roll with various style fixes. Not tested.

treksler’s picture

treksler commented

hi

http://drupal.org/node/43220
was committed and closed and the comments clearly said .. mime checking was only removed until something better came along

well here it is
i will i give this approach a try

there is also http://drupal.org/project/mimedetect
that may have useful code in there for a patch to detect mime types

drewish’s picture

drewish commented
Status: Needs review » Closed (duplicate)

this was addressed in the last security release #295053: SA-2008-047 - Drupal core - Multiple vulnerabilities