stackoom
  简体   繁体   中英

MIME type check useless for file upload? (in particular, using the Javascript File API)?

 原文  2012-04-26 07:39:34       php/ javascript/ file/ upload/ mime

Question

I've got a server script receiving an uploaded file from Javascript.

Client-side, using a File object (from the W3C File API ) and code similar to this line: 

if (file.type.indexOf("text") == 0) { ... }

one can perform a check of the file type. Apparently, this uses a MIME type (which returns these strings ).

In my journeys here through SO, I ventured across this worthy contributor , who maintains that MIME types are useless.

Are MIME types indeed basically useless in a file upload situation, and any type checking should therefore occur server-side?

2 answers

solution1
 3  2012-04-26 08:12:17

That contributor maintains that all MIME type checking is useless, client or server-side.

And to some degree he's right. MIME type checking is always based on sniffing certain characteristics of a file. His example: a PDF file should start with something like %PDF-1.4 . But a file that starts with %PDF-1.4 is not necessarily a PDF file. (Simplified explanation.)

A user can put all the right hints in all the right places so a MIME detector would detect the file as some specific type, because it's looking at those particular hints. But then the rest of the file could be something completely different. If you go that far though, what is it that makes a file of a certain type then? It's all just binary gobbledygook. In the end the only way you can make sure a file is a valid file of type X is by trying to open and parse it with a parser that expects files of type X. If it parses correctly, it's a file useful as type X. If it walks like a duck, quacks like a duck...

With that in mind, trying to parse the file is better than sniffing the MIME type server-side is better than sniffing the MIME-type client side is better than taking the user's word for what type of file it is. Note that client-side MIME type sniffing is just as unreliable as taking the user's word for anything, since it all happens client-side.

solution2
 3 ACCPTED  2012-04-26 08:15:33

The contributer is correct. You can't rely merely on MIME type checking to truly validate a file. It's only useful for quick lookups. For instance, on the client side, you can check the MIME type of a file before it is sent to the server, just in case the user chose the wrong file type, saving time and bandwidth. Apologies for the liberal use of commas!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Check mime type of file on upload with PHP. mime_content_type, fileINfo, linux file NOT available Internet Explorer file upload fails mime-type check Check Mime Type in jquery before file upload after changing the Extension Using php to check MIME type of file uploaded via form mime type torrent codeigniter to upload file file upload mime type issue with UploadedFile Laravel Upload File Mime type error File upload mime-type validation with Laravel 4 Getting mime type after file upload with Cloudinary php file upload - invalid MIME type?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM