6
Views
1
Comments
Solved
[FilePondUpload] Is there a way to make sure that the file is really an image ?
Question
Forge component by Stuart Harris
6
Published on 19 Mar 2020

Hello!

Is there a safety way to define if the file been uploaded is really an image or a PDF for exemple?

Just by checking the file sufix (*.JPG or *.PDF) is not safe.

By injecting application/javascript;x=image/svg, the application accepts the upload and serve a javascript file (with correct mime type)

Rank: #164
Solution

Hi Leo,

Thanks for asking.

You can specify either the extension or the mime type. Internally the plugin will convert the extension to the mime type before using it for the <input type="file"...> control.

I have written the interface to the plugin so it is easy for users to specify the mime-type.

Here is an example

accept="application/pdf,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,pub,mpp,application/vnd.visio,ppt,application/vnd.openxmlformats-officedocument.presentationml.presentation,image/jpeg,image/png,image/gif,image/tiff,audio/mpeg,video/mp4,video/x-msvideo,text/plain,text/csv,eml,kml,application/zip,rar" 

Do you mean this is safer because a malicious user could rename a file extension from .exe to .pdf?  If so, the browser or local machine will not necessarily detect mime-type correctly. On Windows if you rename an extension to .pdf, it will show up in the file upload dialog using the mime-type "application/pdf".

In terms of safety, the browser on the local machine performing the upload is responsible for determine the mime type, so there is no absolutely secure way to ensure the file is a pdf even if the mime-type is correct.

I hope this helps!

Kind regards,

Stuart