Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MIME type check useless for file upload? (in particular, using the Javascript File API)?

I've got a server script receiving an uploaded file from Javascript.

Client-side, using a File object (from the W3C File API) and code similar to this line:

if (file.type.indexOf("text") == 0) { ... }

one can perform a check of the file type. Apparently, this uses a MIME type (which returns these strings).

In my journeys here through SO, I ventured across this worthy contributor, who maintains that MIME types are useless.

Are MIME types indeed basically useless in a file upload situation, and any type checking should therefore occur server-side?

like image 490
Ben Avatar asked Apr 26 '12 07:04

Ben


People also ask

How do I fix MIME type error?

To Solve MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled ErrorJust make Sure Your File name and the name You are Using in Link Tag Both Are Same. For Example my File name is style. css Then My Link tag is Something like this:<link rel=”stylesheet” href=”style.

What is MIME type in JavaScript?

MIME (Multipurpose Internet Mail Extensions) type is a standard way of describing a data type in the body of an HTTP message or email. The MIME type is passed in the Content-Type header. For example, the Content-Type: text/html header tells the browser that it received an HTML page.

What is MIME type in API?

A media type (also known as a Multipurpose Internet Mail Extensions or MIME type) indicates the nature and format of a document, file, or assortment of bytes. MIME types are defined and standardized in IETF's RFC 6838.

What is MIME type check?

The application checks the filename against the MIME type registry. The MIME type registry associates particular filename extensions and filename patterns, with particular MIME types. If a match for the filename is found, the MIME type associated with the extension or pattern is the MIME type of the file.


2 Answers

That contributor maintains that all MIME type checking is useless, client or server-side.

And to some degree he's right. MIME type checking is always based on sniffing certain characteristics of a file. His example: a PDF file should start with something like %PDF-1.4. But a file that starts with %PDF-1.4 is not necessarily a PDF file. (Simplified explanation.)

A user can put all the right hints in all the right places so a MIME detector would detect the file as some specific type, because it's looking at those particular hints. But then the rest of the file could be something completely different. If you go that far though, what is it that makes a file of a certain type then? It's all just binary gobbledygook. In the end the only way you can make sure a file is a valid file of type X is by trying to open and parse it with a parser that expects files of type X. If it parses correctly, it's a file useful as type X. If it walks like a duck, quacks like a duck...

With that in mind, trying to parse the file is better than sniffing the MIME type server-side is better than sniffing the MIME-type client side is better than taking the user's word for what type of file it is. Note that client-side MIME type sniffing is just as unreliable as taking the user's word for anything, since it all happens client-side.

like image 123
deceze Avatar answered Sep 21 '22 23:09

deceze


The contributer is correct. You can't rely merely on MIME type checking to truly validate a file. It's only useful for quick lookups. For instance, on the client side, you can check the MIME type of a file before it is sent to the server, just in case the user chose the wrong file type, saving time and bandwidth. Apologies for the liberal use of commas!

like image 38
Nadh Avatar answered Sep 23 '22 23:09

Nadh