Zend Framework

MimeType Validator should throw an exception instead of desperately validating with false positives

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.10.0
  • Component/s: Zend_File_Transfer
  • Labels:
    None

Description

The MimeType validator uses the value returned by Http as a last resort when neither mime_content_type, nor file_info are available. I think Http is unreliable and should not even be considered at all for anything regarding mime types validation.

I propose to instead use a command line tool as a third option if needed, such as the 'file' command:
$filename = escapeshellarg($filename);
exec("file -ib $filename", $output);
return $output[0];

I have had much success with this on many servers where the 2 first libraries were not available.

In case this shell command should fail as well, no check to http should even be attempted as it gives a false sense of security through false positives (a pdf maliciously disguised as .jpg), false negatives (a Windows machine with its file extensions hidden would fail a jpg mimetype validation when uploading one such file).

The Http check is just a troubleshooting headache waiting to happen if one has not thoroughly read the fine prints of the MimeType validation.

Therefore I also propose that if the 3 afore mentioned checks are not available (mime_content_type, file_info, shell), an exception should simply be thrown to make it clear that the MimeType validation should not be used as long as one of these 3 solutions has not been implemented on the machine.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Thomas Weidner added a comment -

Within ZF it is not allowed to use exec(). The "file" command is not available under Windows.

And the most valueable argument:
A validator must only return boolean true or false. It is not allowed to throw an exception while validating.

Show
Thomas Weidner added a comment - Within ZF it is not allowed to use exec(). The "file" command is not available under Windows. And the most valueable argument: A validator must only return boolean true or false. It is not allowed to throw an exception while validating.
Hide
Permalink
Michael Ekoka added a comment -

Granted that ZF doesn't allow exec().

About HTTP in MimeType validation: I think that validation should be implicitly strict and explicitly lenient. e.g. HTTP should be excluded altogether from the validation for MimeType, or just explicitly activated through a flag.

About exceptions: I'm not suggesting to throw them during validation, the validation return value is for the application to use, but the exception is intended for the developer. Having a validator simply return false because it's not finding mime_content_type or file_info doesn't seem like an appropriate behavior, especially in the context of a security component. A validator like any object could still throw exceptions within the lines of what they are intended, that is to signal to the dev that an exceptional situation was encountered that he/she should be aware of. In this case, that the underlying libraries upon which the validator relies to operate a function are missing and therefore the results would simply be inconclusive.

In other words the exception simply tells us "that feature you're trying to use to secure your uploads, well, at this time it's not really secure and it's best not to rely on it". At which point the dev has to take action to really solve the problem, either explicitly and knowingly deactivate the validator or install one of the required libraries.

just my 0.02$

Show
Michael Ekoka added a comment - Granted that ZF doesn't allow exec(). About HTTP in MimeType validation: I think that validation should be implicitly strict and explicitly lenient. e.g. HTTP should be excluded altogether from the validation for MimeType, or just explicitly activated through a flag. About exceptions: I'm not suggesting to throw them during validation, the validation return value is for the application to use, but the exception is intended for the developer. Having a validator simply return false because it's not finding mime_content_type or file_info doesn't seem like an appropriate behavior, especially in the context of a security component. A validator like any object could still throw exceptions within the lines of what they are intended, that is to signal to the dev that an exceptional situation was encountered that he/she should be aware of. In this case, that the underlying libraries upon which the validator relies to operate a function are missing and therefore the results would simply be inconclusive. In other words the exception simply tells us "that feature you're trying to use to secure your uploads, well, at this time it's not really secure and it's best not to rely on it". At which point the dev has to take action to really solve the problem, either explicitly and knowingly deactivate the validator or install one of the required libraries. just my 0.02$
Hide
Permalink
Thomas Weidner added a comment -

As I said before...
Calling the isValid() method must never result in an exception.

Show
Thomas Weidner added a comment - As I said before... Calling the isValid() method must never result in an exception.
Hide
Permalink
Thomas Weidner added a comment -

Implemented with r17685

Show
Thomas Weidner added a comment - Implemented with r17685

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.