Issues

ZF-9004: Zend_Validate_File_isImage doesn't allow all image mime types

Description

... Within the constructor it defines all allowed image mime types but you can't define really all. I think it's better to remove all 'image/*' types and add a simple 'image' to allowed mime list.

For example currently "image/pjpeg" isn't an image.

Comments

Nope:

This would unsecure this validator as someone could simply set a own type like "image/blabla" which would then be accepted.

On the other hand there are some mimetypes which are NO images and still use the image mimetype (image processing programs). These are actually NOT accepted by this validator.

The existing list of mimetypes is build from the official accepted mimetype list. You can still add own mimetypes or also set "images" when you want to get unsecure.

Other image-types could be added per request, but until now there was none.

This would unsecure this validator as someone could simply set a own type like "image/blabla" which would then be accepted. He can set an own type to one of the accepted type (e.g. "image/jpeg"), too. Additionally is has only effect if headerCheck is activated and no mimetype functions are available.

On the other hand there are some mimetypes which are NO images and still use the image mimetype (image processing programs). These are actually NOT accepted by this validator. OK, this makes sense. But for example the mimetype "image/jpeg" passes on *.jgw (JPEG world file), too.

Fixed with r21138