|
|
Posted by Curt Zirzow on 12/09/05 07:27
On Thu, Dec 08, 2005 at 02:41:43PM -0500, Zack Bloom wrote:
> mime types are very unreliable and should never be used for file type
> authentication (they can also be faked by users). Instead you could try
> using the extension of the file or an identifying statement in the file.
He isn't using the mime-type, the fileinfo module detects the
content type based on a magic file that defines, as you said, a
paticular statment in the file and returns the mime-type associated
with the magic.
Assuming you ment the mime/type sent via a file upload, trying to
detect the file type by the extension is just as unreliable.
Even identifying contents of the file is not as reliable as one
would think; it can also be spoofed. For example with jpeg, there
are several tools out there that will take a file, wrap a jpeg
image around the file and embed the real contents inside of the
file, and if your app just detects the magic contents, it will pass
the test.
The only way to ensure a file is what it really is to open and
resave it with a trusted application. Using the jpeg example you
would need to do something like:
djpeg $file | cjpeg > testfile.jpg
Well, with jpeg, the files will always be differnt but a fuzzy match
based on filesize closeness and/or similar bit distribution.
> On 12/8/05, Manuel Vacelet <manuel.vacelet@gmail.com> wrote:
> >
> > Hi all,
> >
> > I'm facing a bad behaviour of 'file' command used by fileinfo PECL module
> > (recommanded for mime-type checking):
> > * Some Microsoft Excel documents are detected as Microsoft Word documents
> > * Some HTML files are just text/plain
> > * ...
> >
Curt.
--
cat .signature: No such file or directory
Navigation:
[Reply to this message]
|