ZF-9004: Zend_Validate_File_isImage doesn't allow all image mime types

Issue Type:
Improvement
Created:
2010-01-29T01:45:07.000+0000
Last Updated:
2010-02-22T14:44:23.000+0000
Status:
Resolved
Fix version(s):
  • 1.10.2 (24/Feb/10)
Reporter:
Marc Bennewitz (GIATA mbH) (mben)
Assignee:
Thomas Weidner (thomas)
Tags:
  • Zend_Validate_File
Related issues:
Attachments:

Description

... Within the constructor it defines all allowed image mime types but you can't define really all. I think it's better to remove all 'image/*' types and add a simple 'image' to allowed mime list.

For example currently "image/pjpeg" isn't an image.

Comments

Posted by Thomas Weidner (thomas) on 2010-01-29T02:44:44.000+0000

Nope:

This would unsecure this validator as someone could simply set a own type like "image/blabla" which would then be accepted.

On the other hand there are some mimetypes which are NO images and still use the image mimetype (image processing programs). These are actually NOT accepted by this validator.

The existing list of mimetypes is build from the official accepted mimetype list. You can still add own mimetypes or also set "images" when you want to get unsecure.

Other image-types could be added per request, but until now there was none.

Posted by Marc Bennewitz (GIATA mbH) (mben) on 2010-01-29T03:16:01.000+0000

This would unsecure this validator as someone could simply set a own type like "image/blabla" which would then be accepted. He can set an own type to one of the accepted type (e.g. "image/jpeg"), too. Additionally is has only effect if headerCheck is activated and no mimetype functions are available.

On the other hand there are some mimetypes which are NO images and still use the image mimetype (image processing programs). These are actually NOT accepted by this validator. OK, this makes sense. But for example the mimetype "image/jpeg" passes on *.jgw (JPEG world file), too.

Posted by Thomas Weidner (thomas) on 2010-02-22T14:44:23.000+0000

Fixed with r21138