Update: in 1.8, we already trust the file_mime_type() result more than
the browser-supplied mimetype.
So now the way it works is:
1. Use finfo result if available
2. Use file extension if available
3. Use browser mime type if none of those matched
And when using *any* of these mime types, we only accept it if it
matches a mime type in our artefact_file_mime_types table, which comes
from the artefact/file/filetypes.xml file. If it's not a recognized mime
type, we fall back to application/octet-stream.
When serving files up, we always serve the mime type stored in the DB,
i.e. one of the ones from artefact/file/filetypes.xml. And files served
with the HTML mimetype are always sent as force-download, or passed
through htmlpurifier. So, there's not really much of a security threat
from trusting the user-supplied (either the file extension or the
browser mimetype). Thus I think we should continue with trusting those
as a fallback if finfo() fails.
** Changed in: mahara/1.6
Status: Confirmed => In Progress
** Changed in: mahara/1.7
Status: Confirmed => In Progress
** Changed in: mahara/1.8
Status: Confirmed => In Progress
** Changed in: mahara/1.9
Status: Confirmed => In Progress
** Changed in: mahara
Status: Confirmed => In Progress
** Changed in: mahara/1.9
Milestone: 1.10.0 => 1.9.0
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1249858
Title:
Mahara can't figure out mime types because of a finfo() bug
Status in Mahara ePortfolio:
In Progress
Status in Mahara 1.6 series:
In Progress
Status in Mahara 1.7 series:
In Progress
Status in Mahara 1.8 series:
In Progress
Status in Mahara 1.9 series:
In Progress
Bug description:
There have been several notable Mahara bugs based around the fact that
our current handling of mimetypes is broken.
See for instance:
- https://bugs.launchpad.net/mahara/+bug/1220639
- https://bugs.launchpad.net/mahara/+bug/1249166
The problem is this:
1. You can't really trust the mimetype that the browser sends to you, because
different browsers send different wacky things
2. Mahara has long used its own function file_mime_type() in lib/file.php for
this purpose
3. file_mime_type() preferentially uses finfo() to check the mimetype. But,
there's a bug in finfo() with an external magic db, which is how it is
distributed on Ubuntu presently: https://bugs.php.net/bug.php?id=61940
4. file_mime_type() falls back to mime_content_type(). But that's now
deprecated
5. If neither of those works, we fall back to trusting what the browser told
us, which isn't really the best (see #1)
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1249858/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
