[drupal-devel] [bug] File attachments are sometimes saved with an
incorrect mimetype
tangent
drupal-devel at drupal.org
Tue Feb 1 22:54:09 UTC 2005
Project: Drupal
Version: 4.5.2
Component: file system
Category: bug reports
Priority: normal
Assigned to: Anonymous
Reported by: tangent
Updated by: tangent
Status: patch
Has anyone tested this patch?
I think this is an issue that needs to be addressed. I'm just not sure
we want all those extension tests in there.
tangent
Previous comments:
------------------------------------------------------------------------
January 24, 2005 - 23:29 : tangent
Files attached to issues (like patch files) which have "inc" in the
filename are incorrectly served with a text/html mime type and their
contents are marked up with html. This is clearly inappropriate.
See the issue below for some examples of this occurance.
http://drupal.org/node/16021
------------------------------------------------------------------------
January 24, 2005 - 23:51 : tangent
A filename with "module" in the name is also served the same way.
Perhaps we should also test for "mysql, pgsql, php, css, xtmpl, sh, pl,
txt" and any other text file extensions. If this is not desirable, at
least change the filter to look for these extensions *at the end* of
the filename and allow .patch (or possibly .diff) files to be served as
plain text.
------------------------------------------------------------------------
January 30, 2005 - 12:32 : Dries
The project module saves the mime-type sent by the browser when
uploading the patch, and reuses that when serving the patch for
download. It looks like some people upload patches with the wrong
mime-type set.
------------------------------------------------------------------------
January 31, 2005 - 13:01 : tangent
Attachment: http://drupal.org/files/issues/file_mimetype.patch (3.81 KB)
This issue is a symptom caused by faulty mimetype handling in file.inc
so I'm updating the issue to the correct component. The old title was
"File attachments with '.inc' in filename are served as HTML".
Apparently, the real issue is that file.inc currently stores the
content-type presented by the user-agent when file is uploaded. This
is not the best thing to do because a user-agent can present an
incorrect content-type either inadvertantly or, when used by a
malicious person, purposefully.
There are a couple of methods to determine the actual mimetype of a
file but they all have drawbacks.
The Fileinfo (http://pecl.php.net/package/fileinfo) PHP extension is
the recommended tool for the job but is not typically available on a
typical host. The mime_content_type() function requires the "file"
program to be available which is not always the case either. Then there
is the fallback method of testing the filename extension against a list
of internally known extensions.
I've created a patch which attempts the first 2 options and then falls
back to the third. There may be a better option which I have not
thought of though so feel free to offer suggestions.
--
View: http://drupal.org/node/16142
Edit: http://drupal.org/project/comments/add/16142
More information about the drupal-devel
mailing list