HTML file upload: is there a way to force content-type=“application/octet-stream”

Question

We are custom handling file uploads on the server end due to embedded limitations.

The HTML file upload code used in a Firefox browser:

<html>
<body>
    <form action="http:///192.168.1.1/upload.cgi" name="form_1" method="post" enctype="multipart/form-data" >
        <input type="file" id="file" name="filename" content-type="application/octet-stream">
        <input type="submit" name="mysubmit" value="Send">
    </form>
<body>
</html> 

If the selected file is called "fish.jpg", the server receives its content-type as "image/jpeg". If the file is renamed to just "fish" without the file extension, the server receives its content-type as "application/octet-stream" which is what we want.

Is there a way to force "application/octet-stream" in an HTML page (with or without regular JavaScript)?

Thanks in advance, Bert

Answer 1

No. There is no content-type="..." attribute. You cannot influence the browser's choice of Content-Type header in a multipart/form-data subpart at all, with or without JavaScript.

Why does it matter? It's a bad idea for a server-side script do anything much with Content-Type , as it's so often inaccurate. Treating image/jpeg uploads any differently from application/octet-stream is something that shouldn't be done, not least because a browser may choose to upload a JPEG as application/octet-stream or something else (in particular, IE usually likes to send image/pjpeg ).

If you control the server side and getting the right file upload type is critical, there should be an interface for the user to select it manually. (You can use JavaScript file extension sniffing and/or Content-Type to set a default value, but don't rely on either.)

Answer 2

Is there a way to force "application/octet-stream" in an HTML page (with or without regular JavaScript)?

You shouldn't set content-type in html like that. Bad guys can easily upload bypass that. The way is to do proper server-side validation.