[drupal-devel] [bug] File attachments are sometimes saved with an incorrect mimetype

tangent drupal-devel at drupal.org
Mon Jan 31 18:01:26 UTC 2005

-Project:      Project
+Project:      Drupal
-Version:      cvs
+Version:      4.5.2
-Component:    Issues
+Component:    file system
 Category:     bug reports
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  tangent
 Updated by:   tangent
-Status:       active
+Status:       patch
 Attachment:   http://drupal.org/files/issues/file_mimetype.patch (3.81 KB)

This issue is a symptom caused by faulty mimetype handling in file.inc
so I'm updating the issue to the correct component. The old title was
"File attachments with '.inc' in filename are served as HTML".
Apparently, the real issue is that file.inc currently stores the
content-type presented by the user-agent when  file is uploaded. This
is not the best thing to do because a user-agent can present an
incorrect content-type either inadvertantly or, when used by a
malicious person, purposefully.
There are a couple of methods to determine the actual mimetype of a
file but they all have drawbacks.
The Fileinfo (http://pecl.php.net/package/fileinfo) PHP extension is
the recommended tool for the job but is not typically available on a
typical host. The mime_content_type() function requires the "file"
program to be available which is not always the case either. Then there
is the fallback method of testing the filename extension against a list
of internally known extensions.
I've created a patch which attempts the first 2 options and then falls
back to the third. There may be a better option which I have not
thought of though so feel free to offer suggestions.


Previous comments:

January 24, 2005 - 23:29 : tangent

Files attached to issues (like patch files) which have "inc" in the
filename are incorrectly served with a text/html mime type and their
contents are marked up with html. This is clearly inappropriate.
See the issue below for some examples of this occurance.


January 24, 2005 - 23:51 : tangent

A filename with "module" in the name is also served the same way.
Perhaps we should also test for "mysql, pgsql, php, css, xtmpl, sh, pl,
txt" and any other text file extensions. If this is not desirable, at
least change the filter to look for these extensions *at the end* of
the filename and allow .patch (or possibly .diff) files to be served as
plain text.


January 30, 2005 - 12:32 : Dries

The project module saves the mime-type sent by the browser when
uploading the patch, and reuses that when serving the patch for
download.  It looks like some people upload patches with the wrong
mime-type set.

View: http://drupal.org/node/16142
Edit: http://drupal.org/project/comments/add/16142

More information about the drupal-devel mailing list