Re: [FRIDAY] Mime Type Validation
On Fri, 16 Jul 2010 10:26:11 -0400, Christopher Schultz wrote: If filename extensions are sufficient, you can get this information directly from the servlet container using ServletContext.getMimeType. There's also the activation framework's MimetypesFileMap.getContentType. Another option might be to use the UNIX 'file' command, which will actually scan part(s) of the content of the file to determine what it is. It does not emit MIME types, though. Here's some good information, too: http://fredeaker.blogspot.com/2006/12/file-type-mime-detection.html Good luck, and let us know what you find. Thanks for all the suggestions & ideas. We are leaning towards using a simple filename/extension check, as we feel that will catch 99%+ of the problems. One additional option we'll look at is: java.net.URLConnection.guessContentTypeFromName(fileName) In case anyone's interested, Firefox seems to maintain a cache of mime type mappings in the user profile (mimeTypes.rdf). This can (for reasons unclear) get messed up, and can result in Firefox reporting the wrong mime type on a file upload. We had one instance of a user uploading a PDF and Firefox was reporting it as video/x-flv. Deleting the mimeTypes.rdf file causes FF to create an fresh default copy and removes the problem. Thanks again- Steve - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [FRIDAY] Mime Type Validation
I've used this before, and it seemed to work well. http://jmimemagic.sourceforge.net Some more alternatives are here http://www.rgagnon.com/javadetails/java-0487.html -- Greg Akins http://insomnia-consulting.org http://www.pghcodingdojo.org http://pittjug.dev.java.net http://twitter.com/akinsgre http://www.linkedin.com/in/akinsgre - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [FRIDAY] Mime Type Validation
My experience is that you cannot trust the mime-type supplied by the browser on a file upload. The same file uploaded with FF or IE will give you different mime-types. It's also dependent on what plugins have been installed in the browser. The only truly reliable methods would be to examine the file, you can't trust the mime-type the client supplies. If you only allow a limited number of file types. e.g. only image files. you should be able to get a list of valid headers/magic numbers and check that the file matches. If you want to know what is the content of an untrusted file then I would look at one of the Apache indexing/searching projects as they likely have file type detection logic. On Fri, Jul 16, 2010 at 9:21 AM, Stephen Turner wrote: > We're using Struts 2 for file uploading, and we're filtering the types of > files people can upload by checking the file's content type against a list > of allowed mime types. > > This turns out not to be reliable enough. Firefox in particular seems to > sometimes provide the wrong mime type, so some valid files are being > rejected. > > My question is: has anyone come across a reliable way to detect a file's > mime type? > > Thanks, > Steve > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [FRIDAY] Mime Type Validation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Manos, On 7/16/2010 9:42 AM, Manos Batsis wrote: > On 07/16/2010 04:21 PM, Stephen Turner wrote: >> We're using Struts 2 for file uploading, and we're filtering the types >> of files people can upload by checking the file's content type against a >> list of allowed mime types. >> >> This turns out not to be reliable enough. Firefox in particular seems to >> sometimes provide the wrong mime type, so some valid files are being >> rejected. >> >> My question is: has anyone come across a reliable way to detect a file's >> mime type? > > When dealing with a finite set of MIME types, we usually map those to > file extensions. We then only allow those extensions to be used in > uploaded files. If filename extensions are sufficient, you can get this information directly from the servlet container using ServletContext.getMimeType. There's also the activation framework's MimetypesFileMap.getContentType. Another option might be to use the UNIX 'file' command, which will actually scan part(s) of the content of the file to determine what it is. It does not emit MIME types, though. Here's some good information, too: http://fredeaker.blogspot.com/2006/12/file-type-mime-detection.html Good luck, and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxAbAMACgkQ9CaO5/Lv0PD08ACfeSV1PZ1QJK6rpZI2K4+bo5s6 /xkAoI8+WVcycpOQ2AltMs42RskumbJO =se6p -END PGP SIGNATURE- - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [FRIDAY] Mime Type Validation
On 07/16/2010 04:21 PM, Stephen Turner wrote: We're using Struts 2 for file uploading, and we're filtering the types of files people can upload by checking the file's content type against a list of allowed mime types. This turns out not to be reliable enough. Firefox in particular seems to sometimes provide the wrong mime type, so some valid files are being rejected. My question is: has anyone come across a reliable way to detect a file's mime type? When dealing with a finite set of MIME types, we usually map those to file extensions. We then only allow those extensions to be used in uploaded files. hth, Manos - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org