My experience is that you cannot trust the mime-type supplied by the browser on a file upload. The same file uploaded with FF or IE will give you different mime-types. It's also dependent on what plugins have been installed in the browser.
The only truly reliable methods would be to examine the file, you can't trust the mime-type the client supplies. If you only allow a limited number of file types. e.g. only image files. you should be able to get a list of valid headers/magic numbers and check that the file matches. If you want to know what is the content of an untrusted file then I would look at one of the Apache indexing/searching projects as they likely have file type detection logic. On Fri, Jul 16, 2010 at 9:21 AM, Stephen Turner <stur...@mit.edu> wrote: > We're using Struts 2 for file uploading, and we're filtering the types of > files people can upload by checking the file's content type against a list > of allowed mime types. > > This turns out not to be reliable enough. Firefox in particular seems to > sometimes provide the wrong mime type, so some valid files are being > rejected. > > My question is: has anyone come across a reliable way to detect a file's > mime type? > > Thanks, > Steve > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
