New validation option to check that file extension matches mime type

Question

New validation option to check that file extension matches mime type

tagliala opened this issue a year ago · 9 comments

Hi,

I would like to propose a new validation that checks if the extension matches the actual content type of the document. This should help to prevent upload of a .pdf which is actually a .docx

I don't know a good name for this validation, or if it should be an option of content_type, like match_extension: true

I can work on a PR if you are interested

Answer 1 · 2023-06-27T20:30:36.000Z

Let's wait a few days for comment's. Could be useful.

Answer 2 · 2023-06-30T11:38:52.000Z

This sounds like content type spoofing validation. Similar to what file_validators has: https://github.com/musaffa/file_validators#security

Answer 3 · 2024-02-01T20:40:07.000Z

Adding content type spoofing validation sounds like a good idea to me too. I think kt-paperclip has a feature like this: https://github.com/kreeti/kt-paperclip?tab=readme-ov-file#security-validations

Answer 4 · 2024-02-01T22:00:16.000Z

NOTE: Also starting at version 4.0.0, Paperclip has another validation that cannot be turned off. This validation will prevent content type spoofing. That is, uploading a PHP document (for example) as part of the EXIF tags of a well-formed JPEG. This check is limited to the media type (the first part of the MIME type, so, 'text' in text/plain). This will prevent HTML documents from being uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg extension. This validation will only add validation errors to the form. It will not cause errors to be raised.

this is also interesting

Answer 5 · 2024-02-02T16:39:37.000Z

Yes that looks like a really good addition to the gem, I'll work on it in the coming days, let me know if you want to help :)