>From what I understand, the browser can send whatever mime type it wants. And yes, there are security concerns here. In my experience, dealing with mime types is a pain in the ____ because browsers don't always seem to follow a standard when processing files. I think I found a java library that did a good job at identifying files (after the upload). I know that you can't trust the mime type that is sent from the browser, because it varies depending on the user agent, as you found.
On Mon, Sep 27, 2010 at 11:56 PM, Matt Quackenbush <quackfu...@gmail.com>wrote: > > This might be slightly off topic, but I am hoping that someone can steer me > in the right direction. > > I have an upload form that should accept CSV files and nothing else. So I > set the following MIME types as permitted: > > text/csv,text/comma-separated-values,application/csv,application/x-csv > > I have tested files on multiple machines using multiple OS and browser > combinations. The exact same files work perfectly in some instances, yet > fail in others. Even more strange is the fact that the failures have shown > up as different MIME types. For example, I have seen "text/plain" and > "application/vnd.ms-excel" and "application/octet-stream". This whole > thing > leads me to two questions: > > 1) How can the exact same file be sent as a different MIME type depending > upon the OS/browser combination? > > 2) Is it truly the security risk that it seems to be if I were to allow > "application/octet-stream", which as I understand is essentially a binary > format? (The upload form and processor is behind a login, and the > directory > is outside of the web root, so that much is "safe".) > > Thanks in advance for your help. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:337607 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
