Page MenuHomePhabricator

Detect which mime types can be recognized reliably
Open, LowPublicFeature

Description

This is a folloup to bug #3641: brion fixed my fix by requiring a matching mime
type only for types that are known to be recognized. How to determine which
types that are was left open. This patch adresses that caveat:

  • The types recognized by PHPs GD library are always considered to be recognizable
  • if an external command is used to determine the mime type via

$wgMimeDetectorCommand, the system's standard magic.mime file is parsed for
additional types. where that file can be found is determined by the
MM_MAGIC_MIME_FILE. The default value should work on most linux systems, but
would need to be overwritten by windows users.

  • if the mime_magic or fileinfo extensions are present in PHP, the file

indicated by ini_get("mime_magic.magicfile") will be parsed for additional types.

I have tested this with and without $wgMimeDetectorCommand, but not with the
mime_magic or fileinfo extensions.

patch to folow in a minute.


Version: unspecified
Severity: enhancement

Details

Reference
bz3675

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 8:50 PM
bzimport set Reference to bz3675.
bzimport added a subscriber: Unknown Object (MLST).

Created attachment 968
patch for MimeMagic.php

attachment detectmimedetect.diff ignored as obsolete

Created attachment 969
trivial php script for testing the above patch conveniently

put this into the installation root to get a list of all mimetypes and
file-extensions that are deemed recognizable.

attachment MimeTest.php ignored as obsolete

Patch wouldn't apply cleanly

What's the state of play with this request now Daniel?

This patch is more than 6 years old :) Also, it was always kind of hackish. It was supposed to address the following issue:

  • when a file is uploaded and mediawiki fails to detect its mime type, it is accepted withoput further checks.
  • if we knew that the mime type of files with the given file extension *should* be detected, we could reject that file (but afaik we currently don't).

I'm a bit out of the loop, and don't have time to test right now, but I believe the problem still exist: garbage files that are detected as "unknown/unknown" can be uploaded with any file extension.

I think the simples solution would be to reject files that are recognized as "unknown/unknown" unless that extensions is whitelisted in a new config variable.

On a related note: the interaction of $wgCheckFileExtensions vs. $wgVerifyMimeType vs. $wgStrictFileExtensions is very unclear. The mime detection / file verification code needs a rewrite. Sorry for the mess, that stuff from 2005 is actually the first patch I contributed to mediawiki :)

Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:02 AM
Aklapper removed a subscriber: wikibugs-l-list.