ZF-7617: MimeType Validator should throw an exception instead of desperately validating with false positives
The MimeType validator uses the value returned by Http as a last resort when neither mime_content_type, nor file_info are available. I think Http is unreliable and should not even be considered at all for anything regarding mime types validation.
I propose to instead use a command line tool as a third option if needed, such as the 'file' command: $filename = escapeshellarg($filename); exec("file -ib $filename", $output); return $output;
I have had much success with this on many servers where the 2 first libraries were not available.
In case this shell command should fail as well, no check to http should even be attempted as it gives a false sense of security through false positives (a pdf maliciously disguised as .jpg), false negatives (a Windows machine with its file extensions hidden would fail a jpg mimetype validation when uploading one such file).
The Http check is just a troubleshooting headache waiting to happen if one has not thoroughly read the fine prints of the MimeType validation.
Therefore I also propose that if the 3 afore mentioned checks are not available (mime_content_type, file_info, shell), an exception should simply be thrown to make it clear that the MimeType validation should not be used as long as one of these 3 solutions has not been implemented on the machine.