Project: Drupal Version: 4.5.2 Component: file system Category: bug reports Priority: normal Assigned to: Anonymous Reported by: tangent Updated by: tangent Status: patch Has anyone tested this patch? I think this is an issue that needs to be addressed. I'm just not sure we want all those extension tests in there. tangent Previous comments: ------------------------------------------------------------------------ January 24, 2005 - 23:29 : tangent Files attached to issues (like patch files) which have "inc" in the filename are incorrectly served with a text/html mime type and their contents are marked up with html. This is clearly inappropriate. See the issue below for some examples of this occurance. http://drupal.org/node/16021 ------------------------------------------------------------------------ January 24, 2005 - 23:51 : tangent A filename with "module" in the name is also served the same way. Perhaps we should also test for "mysql, pgsql, php, css, xtmpl, sh, pl, txt" and any other text file extensions. If this is not desirable, at least change the filter to look for these extensions *at the end* of the filename and allow .patch (or possibly .diff) files to be served as plain text. ------------------------------------------------------------------------ January 30, 2005 - 12:32 : Dries The project module saves the mime-type sent by the browser when uploading the patch, and reuses that when serving the patch for download. It looks like some people upload patches with the wrong mime-type set. ------------------------------------------------------------------------ January 31, 2005 - 13:01 : tangent Attachment: http://drupal.org/files/issues/file_mimetype.patch (3.81 KB) This issue is a symptom caused by faulty mimetype handling in file.inc so I'm updating the issue to the correct component. The old title was "File attachments with '.inc' in filename are served as HTML". Apparently, the real issue is that file.inc currently stores the content-type presented by the user-agent when file is uploaded. This is not the best thing to do because a user-agent can present an incorrect content-type either inadvertantly or, when used by a malicious person, purposefully. There are a couple of methods to determine the actual mimetype of a file but they all have drawbacks. The Fileinfo (http://pecl.php.net/package/fileinfo) PHP extension is the recommended tool for the job but is not typically available on a typical host. The mime_content_type() function requires the "file" program to be available which is not always the case either. Then there is the fallback method of testing the filename extension against a list of internally known extensions. I've created a patch which attempts the first 2 options and then falls back to the third. There may be a better option which I have not thought of though so feel free to offer suggestions. -- View: http://drupal.org/node/16142 Edit: http://drupal.org/project/comments/add/16142