Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is MIME type detection the best way to detect a kind of file?

I’m working on an upload form in PHP that must allow only MP3 files.

When the upload is done, I analyze the file to check whether is it really an MP3. The first step is to detect the mime type as audio/mpeg. I use the libraries finfo_file() and works fine except that during the tests some MP3 files are rejected because their MIME type results as application/octet-stream.

My questions are:

  • Should my app definitely refuse those MP3 files? They actually play audio.
  • Is there any reason why this MIME type is an MP3?
  • is the detection of MIME type the most sure way to know the kind of file?
like image 387
enkore Avatar asked Apr 08 '12 04:04

enkore


People also ask

What is MIME type detection?

The most simple way to detect the MIME type of any file is to use MIME_Type's static autoDetect() method. It will try to determine the file's type and return it as a string. If an error occurs, a PEAR_Error object is returned. By default, only the plain MIME type will be returned, without any comments or parameters.

Is MIME type same as file type?

Whereas file extensions are commonly used for your OS to decide what program to open a file with, Mime types are used by your browser to decide how to present some data (or the server on how to interpret received data). Both are optional but it's a good practice to have an agreement.

What is a MIME type and what is it used for?

A media type (also known as a Multipurpose Internet Mail Extensions or MIME type) indicates the nature and format of a document, file, or assortment of bytes. MIME types are defined and standardized in IETF's RFC 6838.

Why is MIME type important?

MIME types let the browser know what each file is. Browsers associate other applications, helper applications/extensions to handle certain MIME types. So, setting the correct MIME types will let the browser handle the object/file the way it was meant to be done.


1 Answers

In most of my applications where upload is necessary, I sometimes settle for validating the MIME that is passed by the browser (client) against a list of predefined MIME types. This approach makes a general assumption that if something suspicious is going on where the browser is unable to communicate the MIME type of a file being uploaded, I probably don't want to bother processing it at this time.

<?php

$valid_mp3_mimes = array(
    'audio/mpeg',
    'audio/x-mpeg',
    'audio/mp3',
    'audio/x-mp3',
    'audio/mpeg3',
    'audio/x-mpeg3',
    'audio/x-mpeg-3',
    'audio/mpg',
    'audio/x-mpg',
    'audio/x-mpegaudio',
    'video/mpeg',
    'video/x-mpeg',
);

$uploaded_file_mime = $_FILES['upload_field_name']['type'];

if(!in_array($uploaded_file_mime, $valid_mp3_mimes))
{
    die('Upload is not a valid MP3 file.');
}

You may or may not feel this is sufficient method for your purposes. The PHP Manual explicitly states that this information is available if the browser provided this information and that the MIME type is NOT checked on the server side and therefore should not be taken for granted.

One thing to take into consideration is the availability of resources on the server that allow you to authenticate the true MIME type of a file.

As PHP developers, we love the flexibility of creating platform independent code for the most part (e.g. our web applications built on a Windows system running XAMPP can be deployed to a Linux hosting environment with very little modification). However, when validating MIME types, we begin introducing platform dependent methods that necessitate verifying the existence of these tools (such as "file" or "finfo_file").

This might be one implementation worth studying (taken from the CodeIgniter GitHub repository) that utilizes these tools and is about as thorough of a working example as you're going to get within the scope of PHP:

File MIME type detects the (actual) MIME type of the uploaded file, if possible. https://github.com/EllisLab/CodeIgniter/blob/develop/system/libraries/Upload.php#L983


Sources

PHP Manual POST method uploads - http://www.php.net/manual/en/features.file-upload.post-method.php

Webmaster Toolkit Mime Types - http://www.webmaster-toolkit.com/mime-types.shtml

FILExt .MP3 File - http://filext.com/file-extension/MP3

like image 75
Matt Borja Avatar answered Sep 20 '22 07:09

Matt Borja