On Jan 22, 2009, at 10:13 AM, Thomas Bruederli wrote: > I tend to switch back and just trust the mime-type > submitted by the client (when uploading).
Hmmm, that made my security radar do a beep. Trusting user input isn't always safe. An example with non-serious consequences : In a application I built, I had a simple check for a file type, and refused uploads if the file didn't meet our requirements. Users would simply re-name the file with a different extension, which would make the browser report the required mime type. I had to add a check that used something like ' file -ib ' to make sure something goofy wasn't going on. It seems fileinfo - libmagic has a bit of a hard time with Microsoft formats, which are common e-mail file attachments. This may be why the comment : > That server-side mime-type detection seems to cause more problems than > solving them. My application referenced above required a file type far different from Word, Excel, etc. so I didn't run into problems. -- Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265 _______________________________________________ List info: http://lists.roundcube.net/dev/
