Issue Type: Improvement Created: 2009-08-17T16:59:18.000+0000 Last Updated: 2009-08-20T03:45:05.000+0000 Status: Resolved Fix version(s): - 1.10.0 (27/Jan/10)
Reporter: Michael Ekoka (verysimple) Assignee: Thomas Weidner (thomas) Tags: - Zend_File_Transfer
Related issues: Attachments:
The MimeType validator uses the value returned by Http as a last resort when neither mime_content_type, nor file_info are available. I think Http is unreliable and should not even be considered at all for anything regarding mime types validation.
I propose to instead use a command line tool as a third option if needed, such as the 'file' command: $filename = escapeshellarg($filename); exec("file -ib $filename", $output); return $output;
I have had much success with this on many servers where the 2 first libraries were not available.
In case this shell command should fail as well, no check to http should even be attempted as it gives a false sense of security through false positives (a pdf maliciously disguised as .jpg), false negatives (a Windows machine with its file extensions hidden would fail a jpg mimetype validation when uploading one such file).
The Http check is just a troubleshooting headache waiting to happen if one has not thoroughly read the fine prints of the MimeType validation.
Therefore I also propose that if the 3 afore mentioned checks are not available (mime_content_type, file_info, shell), an exception should simply be thrown to make it clear that the MimeType validation should not be used as long as one of these 3 solutions has not been implemented on the machine.
Posted by Thomas Weidner (thomas) on 2009-08-18T00:03:22.000+0000
Within ZF it is not allowed to use exec(). The "file" command is not available under Windows.
And the most valueable argument: A validator must only return boolean true or false. It is not allowed to throw an exception while validating.
Posted by Michael Ekoka (verysimple) on 2009-08-18T04:34:56.000+0000
Granted that ZF doesn't allow exec().
About HTTP in MimeType validation: I think that validation should be implicitly strict and explicitly lenient. e.g. HTTP should be excluded altogether from the validation for MimeType, or just explicitly activated through a flag.
About exceptions: I'm not suggesting to throw them during validation, the validation return value is for the application to use, but the exception is intended for the developer. Having a validator simply return false because it's not finding mime_content_type or file_info doesn't seem like an appropriate behavior, especially in the context of a security component. A validator like any object could still throw exceptions within the lines of what they are intended, that is to signal to the dev that an exceptional situation was encountered that he/she should be aware of. In this case, that the underlying libraries upon which the validator relies to operate a function are missing and therefore the results would simply be inconclusive.
In other words the exception simply tells us "that feature you're trying to use to secure your uploads, well, at this time it's not really secure and it's best not to rely on it". At which point the dev has to take action to really solve the problem, either explicitly and knowingly deactivate the validator or install one of the required libraries.
just my 0.02$
Posted by Thomas Weidner (thomas) on 2009-08-18T11:40:47.000+0000
As I said before... Calling the isValid() method must never result in an exception.
Posted by Thomas Weidner (thomas) on 2009-08-20T03:44:56.000+0000
Implemented with r17685
Have you found an issue?
See the Overview section for more details.