For comparison, Mahara's current system is basically: 1. Examine the file suffix of the file and see if it matches one in our list 2. If that doesn't work, try it using the PHP finfo() command (which relies on libmagic's "magicdb" file) 3. If finfo is not available, or we can't find the magicdb file, try it using the PHP mime_content_type() command (which relies on the system's "magic.mime" file. 4. If that doesn't work, return the generic "application/octet-stream".
We also try to mitigate the possible threat posed by incorrect Mimetypes, by adding "Content-Disposition: attachment" to files unless they're being served inline (like the "src" of an image tag, or an HTML5 audio/video), to try to prevent the browser from handling the file directly. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1564715 Title: Change Mahara's content-sniffing to match the WHATWG standard Status in Mahara: New Bug description: WHATWG (Web Hypertext Application Technology Working Group) is basically the official specification organization for HTML5. They've written up some specifications about the correct & secure way that HTTP clients & servers ought to deal with file content types aka MIME types: https://mimesniff.spec.whatwg.org To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1564715/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
