Closed Bug 295432 Opened 20 years ago Closed 20 years ago

Bogus file name extensions fool Firefox into sending wrong MIME type in HTTP POST

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 295431

People

(Reporter: simon.donovan, Unassigned)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

This bug relates to uploading files using HTTP POST and the incorrect reporting 
of MIME types.

MIME types for file uploads in Firefox are based on file name extensions.
e.g. The file 'info.txt' will be given the 'text/plain' MIME type and the 
file 'picture.jpg' will be given the 'image/jpeg' MIME type.

If a rogue user renames 'picture.jpg' to 'picture.txt' it will be given 
the 'text/plain' MIME type, when in actual fact, the data of the file 
is 'image/jpeg'. Hence Firefox can be fooled into sending the wrong MIME type.

The MIME type should be based on the data content of the file and not the file 
extension (which can easily be spoofed). It is extremely lazy and inaccurate to 
base MIME types on file extension alone. The file content should be examined to 
determine the real MIME type. This behaviour is implemented in IE.

If a server application wants to allow only files with a specific MIME type to 
be uploaded, the MIME type supplied by Firefox cannot be trusted, as a user can 
spoof this with ease. Hence, additional work must be done on the server to 
examine the content of the file to determine the real MIME type and not the 
spoofed MIME type reported by Firefox.


Reproducible: Always

Steps to Reproduce:
1.Create a simple file upload form in HTML.
2.Create a copy of a jpeg image file and change the extension to '.txt'
3.Upload the file in the HTML form.

Actual Results:  
On the server, the Content-Type header reports a MIME type of 'text/plain'

Expected Results:  
On the server, the Content-Type header should report a MIME type of 'image/jpeg'

*** This bug has been marked as a duplicate of 295431 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.