4

I know that from security standpoint this is not safe. But I intend to use the javascript code for convenience. So just as a first pass. My goal is to avoid any false-positives i.e. it is fine if a malicious hacker manipulated the file to have the mime-types that I accept (because I will be doing a second pass on server side) but I I would want to prevent legal files being detected as problematic.

UPDATE

Prototype of a working solution http://jsfiddle.net/tankchintan/5EUjE/1/

Improve this question

1 Answer 1

Reset to default
1

It is OK so long as you are confirming the type on the server side.

Using it on the client will just be a convenience to the end user. How are you determining the mime type? If it is just on extension, then you may as well just check for a valid extension on the client side.

Update

It appears to be just mapping extensions to file types, as a png renamed as mp3 is mpeg/audio to the code.

So, ensure you validate the type on the server by checking the file's contents, not its extension.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I am determining the mimetype using javascript to get access to the file being uploaded & then using the "type" attribute of the object. Kind of like FieldName.files.0.type. so I am verifying if that value has "video" or "audio" in it.
@Chantz interesting, I've never seen that method before. Can you show some code?
@Chantz nice, thanks! File uploads have a type attribute? Didn't know that.
@Chantz Very interesting. However, I renamed a png file to mp3 and it passed. Maybe it internally is just mapping extensions to mime types.
@alex, yeah that's what I was not sure about. But since this is a first pass & a convenient GUI I thought it can do as long as it does not give false-positives.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.