Closed Bug 295431 Opened 20 years ago Closed 20 years ago

Bogus file name extensions fool Firefox into sending wrong MIME type in HTTP POST

Categories

(Core Graveyard :: File Handling, defect)

Product:
Core Graveyard
Component:
File Handling
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: simon.donovan, Unassigned)

References

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

This bug relates to uploading files using HTTP POST and the incorrect reporting 
of MIME types.

MIME types for file uploads in Firefox are based on file name extensions.
e.g. The file 'info.txt' will be given the 'text/plain' MIME type and the 
file 'picture.jpg' will be given the 'image/jpeg' MIME type.

If a rogue user renames 'picture.jpg' to 'picture.txt' it will be given 
the 'text/plain' MIME type, when in actual fact, the data of the file 
is 'image/jpeg'. Hence Firefox can be fooled into sending the wrong MIME type.

The MIME type should be based on the data content of the file and not the file 
extension (which can easily be spoofed). It is extremely lazy and inaccurate to 
base MIME types on file extension alone. The file content should be examined to 
determine the real MIME type. This behaviour is implemented in IE.

If a server application wants to allow only files with a specific MIME type to 
be uploaded, the MIME type supplied by Firefox cannot be trusted, as a user can 
spoof this with ease. Hence, additional work must be done on the server to 
examine the content of the file to determine the real MIME type and not the 
spoofed MIME type reported by Firefox.


Reproducible: Always

Steps to Reproduce:
1.Create a simple file upload form in HTML.
2.Create a copy of a jpeg image file and change the extension to '.txt'
3.Upload the file in the HTML form.

Actual Results:  
On the server, the Content-Type header reports a MIME type of 'text/plain'

Expected Results:  
On the server, the Content-Type header should report a MIME type of 'image/jpeg'
*** Bug 295432 has been marked as a duplicate of this bug. ***
The form handling code uses:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/uriloader/exthandler/nsExternalHelperAppService.cpp&rev=1.289&mark=2724,2764#2719

which determines the MIME type to use by looking at the extension. It doesn't
seem to me like it can do anything else, short of content sniffing (bug 61855).

Therefore I think this is either a dupe of that, or INVALID.
Assignee: nobody → file-handling
Severity: major → normal
OS: Windows XP → All
Product: Firefox → Core
QA Contact: file.handling → ian
Hardware: PC → All
Version: unspecified → Trunk
>If a server application wants to allow only files with a specific MIME type to 
>be uploaded, the MIME type supplied by Firefox cannot be trusted

Why would a server ever be trusting externally-supplied information?  How would
the server even know it really was Firefox, and not something else pretending to
be Firefox?

A file's extension, and the MIME type derived from that, is more useful than
always doing content-sniffing (and potentially guessing wrong).  Yes, if the
extension is changed you may end up thinking the file is the wrong type, but
that happens with Windows itself, so it's hardly unusual or unexpected.
We use the MIME type reported by the operating system.  On MacOS, this is not
always based on extension by any means; on operating systems which only use
extensions to identify types, it is.  Sniffing will give the wrong results in a
vast variety of cases (for example, an XPM image just looks like C code, which
it is).  Since servers should absolutely not be trusting any data they receive,
the "servers can't depend on this type" argument is bogus.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.