Hello!
Is there a safety way to define if the file been uploaded is really an image or a PDF for exemple?
Just by checking the file sufix (*.JPG or *.PDF) is not safe.
By injecting application/javascript;x=image/svg, the application accepts the upload and serve a javascript file (with correct mime type)
Hi Leo,
Thanks for asking.
You can specify either the extension or the mime type. Internally the plugin will convert the extension to the mime type before using it for the <input type="file"...> control.
I have written the interface to the plugin so it is easy for users to specify the mime-type.
Here is an example
accept="application/pdf,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,pub,mpp,application/vnd.visio,ppt,application/vnd.openxmlformats-officedocument.presentationml.presentation,image/jpeg,image/png,image/gif,image/tiff,audio/mpeg,video/mp4,video/x-msvideo,text/plain,text/csv,eml,kml,application/zip,rar"
Do you mean this is safer because a malicious user could rename a file extension from .exe to .pdf? If so, the browser or local machine will not necessarily detect mime-type correctly. On Windows if you rename an extension to .pdf, it will show up in the file upload dialog using the mime-type "application/pdf".
In terms of safety, the browser on the local machine performing the upload is responsible for determine the mime type, so there is no absolutely secure way to ensure the file is a pdf even if the mime-type is correct.
I hope this helps!
Kind regards,
Stuart