Mahara can't figure out mime types because of a finfo() bug

Bug #1249858 reported by Aaron Wells on 2013-11-10
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
1.6
High
Unassigned
1.7
High
Unassigned
1.8
High
Unassigned

Bug Description

There have been several notable Mahara bugs based around the fact that our current handling of mimetypes is broken.

See for instance:
 - https://bugs.launchpad.net/mahara/+bug/1220639
 - https://bugs.launchpad.net/mahara/+bug/1249166

The problem is this:

1. You can't really trust the mimetype that the browser sends to you, because different browsers send different wacky things
2. Mahara has long used its own function file_mime_type() in lib/file.php for this purpose
3. file_mime_type() preferentially uses finfo() to check the mimetype. But, there's a bug in finfo() with an external magic db, which is how it is distributed on Ubuntu presently: https://bugs.php.net/bug.php?id=61940
4. file_mime_type() falls back to mime_content_type(). But that's now deprecated
5. If neither of those works, we fall back to trusting what the browser told us, which isn't really the best (see #1)

Aaron Wells (u-aaronw) wrote :

Since none of the standard PHP built-in's is acceptable at the moment for properly identifying a file's mimetype, I suggest we use Moodle's code for it. Moodle has a couple of functions in lib/filelib.php for identifying mime types based on file extension:

get_mimetypes_array(): https://github.com/moodle/moodle/blob/master/lib/filelib.php#L1387

mimeinfo(): https://github.com/moodle/moodle/blob/master/lib/filelib.php#L1594

The get_mimetypes_array() method has a pretty exhaustive list of mimetypes. The downside to this is that it's an external library, so we'll have to check periodically to keep it up to date. It would probably be best if this is just a temporary measure until the problems with PHP's mimetype functions get resolved.

Robert Lyon (robertl-9) wrote :

There is an option mentioned here -> https://bugs.php.net/bug.php?id=61940#1336148541
of a workaround to the problem.

if (version_compare(PHP_VERSION, '5.3.11') >= 0) {

    $magicfile = 'magic_php-gte-5_3_11.mgc';
} else {
    $magicfile = 'magic_php-lt-5-3-11.mgc';
}
$magicpath = __DIR__ . "/../../../config/{$magicfile}";

Where we use both our old magic DB (the one from Ubuntu/Debian), and the one bundled here: https://raw.github.com/php/php-src/master/ext/fileinfo/tests/magic

We could use this until the problem is fixed with PHP

Aaron Wells (u-aaronw) wrote :

Here's a brief description of the recommended way to handle filetype of uploaded files: http://www.peachpit.com/blogs/blog.aspx?uk=Securely-Handling-File-Uploads-Five-Critical-E-Commerce-Security-Tips-in-Five-Days

1. Don't let unregistered users upload files (we do this)
2. Store uploaded files outside the webroot and only access them through a proxy script (we do this)
3. Preferably get the filetype from finfo(), which looks at the file contents
4. If you can't do that, use the file extension
5. Don't trust the mimetype, because it's sent by the web client and is therefore hackable and variable.

Aaron Wells (u-aaronw) wrote :

Robert has pointed out on IRC that there's a workaround listed on the PHP bug report, that involves including your own copies of the Magic DB, and checking which PHP version is running: https://bugs.php.net/bug.php?id=61940#1336148541

So, I propose this course of action:

1. We implement the workaround of including Magic DB's in the Mahara distribution itself
2. We port Moodle's Mime Type array as a fallback
3. We drop the deprecated call to mime_content_type()
4. If neither finfo nor the giant Moodle Mimetype list is able to identify the file's mimetype, we set it to the default 'application/octet-stream', and don't look at or trust the browser-supplied mimetype at all.

Setting the mimetype to octet-stream won't solve the problem of embedding PDFs where this problem became apparent because it only accepts application/pdf.

Some more information on bug #1270110

Aaron Wells (u-aaronw) wrote :

Raising to high importance because it causes a number of other bugs.

Aaron Wells (u-aaronw) wrote :

Okay, so there are a few things going on here. I ran some tests using FF, Ubuntu 12.04, and PHP 5.3.12 (my dev environment)

1. If you upload an MP3 file, in Mahara 1.7 or 1.6, it doesn't get recognized as an audio file.

2. An MP3 file *does* get recognized as an audio file in Mahara 1.8, but this is because of this patch ( https://reviews.mahara.org/#/c/2474/3 ) which tells it to trust the mimetype passed by the browser.

3. The call to finfo() in file_mime_type() currently does not work. BUT, if I remove the magicpath argument (which according to the docs lets PHP use its "internal" one), then it *does* work.

4. The part of file_mime_type() where it falls back to analyzing the uploaded file's file extension, doesn't work when you're uploading a file. Because in that case, the $file we pass in to file_mime_type() is the gibberish filename of a PHP temporary upload file.

So... I think this is the course of action we need to take:

For 1.6 & 1.7:

1. Add a config-defaults.php option $cfg->pathtomagicdb that allows the admin to configure the magicpath. The default (NULL) will continue with the current magicdb behavior. Setting boolean FALSE will use PHP's internal one. Setting a path will use the db at that path. This will allow affected systems to fix the problem, while not changing the behavior for other systems.

2. Add an optional parameter to file_mime_type() to take the original filename and look at the file extension on that. Alter ArtefactTypeFile::new_file() to use this option (when uploading a file)

For 1.8:

1. The same stuff as for 1.7

2. Also, revert patch https://reviews.mahara.org/#/c/2474 , which tells Mahara to use the browser-supplied mimetype. (Or at least reverse the logic so that we trust file_mime_type() first, and if that provides nothing, we check the browser-supplied mimetype)

For 1.9.0 & later:

1. The same stuff as for 1.8

2. Also, we change the default setting of $cfg->pathtomagicdb to FALSE. (Which is okay to do because this is a major release)

3. And we get rid of the logic in file_mime_type that checks for whether we can use FILEINFO_MIME_TYPE or FILEINFO_MIME. The FILEINFO_MIME_TYPE functionality was added in PHP 5.3, and that's the only version we support now.

Mahara Bot (dev-mahara) wrote :

Patch for "1.6_STABLE" branch: https://reviews.mahara.org/3169

Mahara Bot (dev-mahara) wrote :

Patch for "1.6_STABLE" branch: https://reviews.mahara.org/3170

Mahara Bot (dev-mahara) wrote :

Patch for "1.7_STABLE" branch: https://reviews.mahara.org/3171

Mahara Bot (dev-mahara) wrote :

Patch for "1.7_STABLE" branch: https://reviews.mahara.org/3172

Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3173

Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3174

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/3175

Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3176

Aaron Wells (u-aaronw) wrote :

Update: in 1.8, we already trust the file_mime_type() result more than the browser-supplied mimetype.

So now the way it works is:

1. Use finfo result if available

2. Use file extension if available

3. Use browser mime type if none of those matched

And when using *any* of these mime types, we only accept it if it matches a mime type in our artefact_file_mime_types table, which comes from the artefact/file/filetypes.xml file. If it's not a recognized mime type, we fall back to application/octet-stream.

When serving files up, we always serve the mime type stored in the DB, i.e. one of the ones from artefact/file/filetypes.xml. And files served with the HTML mimetype are always sent as force-download, or passed through htmlpurifier. So, there's not really much of a security threat from trusting the user-supplied (either the file extension or the browser mimetype). Thus I think we should continue with trusting those as a fallback if finfo() fails.

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/3177

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/3179

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/3178

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/3180

Aaron Wells (u-aaronw) on 2014-04-02
Changed in mahara:
status: Confirmed → In Progress

Reviewed: https://reviews.mahara.org/3173
Committed: http://gitorious.org/mahara/mahara/commit/c8da15a15ac9ee5b1c3212d125ed079f930fd65e
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit c8da15a15ac9ee5b1c3212d125ed079f930fd65e
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:41:22 2014 +1300

Pass original filename to file_mime_type()

Bug 1249858: When being called for file uploads, file_mime_type()
is getting the PHP temp upload file's filename, and so the attempt
to check the file extension is always unsuccessful because those
temp file names are gibberish

Change-Id: I631ca8c80316919b6aefc9712b68017d752ba942

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3169
Committed: http://gitorious.org/mahara/mahara/commit/bfaf9fa0b437ea097be5f6ea84c4b4b90b344e3b
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.6_STABLE

commit bfaf9fa0b437ea097be5f6ea84c4b4b90b344e3b
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:41:22 2014 +1300

Pass original filename to file_mime_type()

Bug 1249858: When being called for file uploads, file_mime_type()
is getting the PHP temp upload file's filename, and so the attempt
to check the file extension is always unsuccessful because those
temp file names are gibberish

Change-Id: I631ca8c80316919b6aefc9712b68017d752ba942

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3171
Committed: http://gitorious.org/mahara/mahara/commit/3f879321b586294d1a5afe31ef2081310b6d836e
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.7_STABLE

commit 3f879321b586294d1a5afe31ef2081310b6d836e
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:41:22 2014 +1300

Pass original filename to file_mime_type()

Bug 1249858: When being called for file uploads, file_mime_type()
is getting the PHP temp upload file's filename, and so the attempt
to check the file extension is always unsuccessful because those
temp file names are gibberish

Change-Id: I631ca8c80316919b6aefc9712b68017d752ba942

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3177
Committed: http://gitorious.org/mahara/mahara/commit/f62ea3d290e84fd0a624c444d65fb7a1ee73a4bb
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit f62ea3d290e84fd0a624c444d65fb7a1ee73a4bb
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:41:22 2014 +1300

Pass original filename to file_mime_type()

Bug 1249858: When being called for file uploads, file_mime_type()
is getting the PHP temp upload file's filename, and so the attempt
to check the file extension is always unsuccessful because those
temp file names are gibberish

Change-Id: I631ca8c80316919b6aefc9712b68017d752ba942

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3170
Committed: http://gitorious.org/mahara/mahara/commit/56dcc6a252490bc4dd616ec3d18e5ad9ed37ce79
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.6_STABLE

commit 56dcc6a252490bc4dd616ec3d18e5ad9ed37ce79
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:42:25 2014 +1300

Allow users to specify magicdb location (or use PHP's default)

Bug 1249858

Change-Id: I0dd741dad20bc17b33fb6d1a3bb9cf3d845d28df

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3172
Committed: http://gitorious.org/mahara/mahara/commit/b5697b22f2030ba75df9a21d416d07378d93aa66
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.7_STABLE

commit b5697b22f2030ba75df9a21d416d07378d93aa66
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:42:25 2014 +1300

Allow users to specify magicdb location (or use PHP's default)

Bug 1249858

Change-Id: I0dd741dad20bc17b33fb6d1a3bb9cf3d845d28df

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3176
Committed: http://gitorious.org/mahara/mahara/commit/d9e2ad1cb9bbb2635dc34f5d445522dc66461317
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit d9e2ad1cb9bbb2635dc34f5d445522dc66461317
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:42:25 2014 +1300

Allow users to specify magicdb location (or use PHP's default)

Bug 1249858

Change-Id: I49c0738bbb154f769ab7f80def3ddb983fe836a1

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3178
Committed: http://gitorious.org/mahara/mahara/commit/556a78c6828df3a629c8af1c135d455081b7eed7
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 556a78c6828df3a629c8af1c135d455081b7eed7
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:42:25 2014 +1300

Allow users to specify magicdb location (or use PHP's default)

Bug 1249858

Change-Id: I49c0738bbb154f769ab7f80def3ddb983fe836a1

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3179
Committed: http://gitorious.org/mahara/mahara/commit/7a9b8e994a0e03cc8de6046603c3ee0b02ca3411
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 7a9b8e994a0e03cc8de6046603c3ee0b02ca3411
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 17:11:15 2014 +1300

Use the PHP internal magicdb as the default

Bug 1249858

Change-Id: I1d02db529740f4b68a3c6075b2cef0e3d94578e3

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3180
Committed: http://gitorious.org/mahara/mahara/commit/069e85dc71452e3cffc84d86bce415271b805612
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 069e85dc71452e3cffc84d86bce415271b805612
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 17:11:56 2014 +1300

FILEINFO_MIME_TYPE is always present in PHP 5.3+, and that's all we support now

Bug 1249858

Change-Id: If6c978cbf32f465469229bc093cd086e758f7147

Mahara Bot (dev-mahara) wrote :

Patch for "1.6_STABLE" branch: https://reviews.mahara.org/3182

Reviewed: https://reviews.mahara.org/3181
Committed: http://gitorious.org/mahara/mahara/commit/2de25a00f02a82aeb92e45e527e3d900a5da6b48
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 2de25a00f02a82aeb92e45e527e3d900a5da6b48
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 09:46:30 2014 +1300

Prefer fileinfo detected mimetype over browser-supplied mimetype (Bug #1249858)

Browsers can get the their mimetypes for certain things mixed up if
they visit badly written websites. So we should trust magicdb over
what the browser tells us.

Change-Id: I477580d55a70f7e2d03385897a6ec02166506908
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3184

Reviewed: https://reviews.mahara.org/3184
Committed: http://gitorious.org/mahara/mahara/commit/6c82f41791198d7449d263d8c0da0ab0e6d33296
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 6c82f41791198d7449d263d8c0da0ab0e6d33296
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 09:46:30 2014 +1300

Prefer fileinfo detected mimetype over browser-supplied mimetype (Bug #1249858)

Browsers can get the their mimetypes for certain things mixed up if
they visit badly written websites. So we should trust magicdb over
what the browser tells us.

Change-Id: I477580d55a70f7e2d03385897a6ec02166506908
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3183
Committed: http://gitorious.org/mahara/mahara/commit/f8d5cf96c830bd31660f66c031099a60c7fa3c94
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit f8d5cf96c830bd31660f66c031099a60c7fa3c94
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 11:19:21 2014 +1300

Autodetect the location of the magicdb

Bug 1249858

Change-Id: I1531c0da4ffb1044817e2ff6be14dd7a50ceb5e6
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Patch for "1.6_STABLE" branch: https://reviews.mahara.org/3186

Robert Lyon (robertl-9) on 2014-04-02
Changed in mahara:
status: In Progress → Fix Committed
Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3187

Reviewed: https://reviews.mahara.org/3182
Committed: http://gitorious.org/mahara/mahara/commit/4345f417060e817fa5d7f04b0531eca506935099
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.6_STABLE

commit 4345f417060e817fa5d7f04b0531eca506935099
Author: Aaron Wells <email address hidden>
Date: Thu Apr 3 10:17:06 2014 +1300

Autodetect the location of the magicdb

Bug 1249858

Change-Id: I795fe6540e3ef8d6fcca97303c7217455eedd038

Reviewed: https://reviews.mahara.org/3188
Committed: http://gitorious.org/mahara/mahara/commit/e28c22c757f2526a3752f51feaa382fb1f373849
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.7_STABLE

commit e28c22c757f2526a3752f51feaa382fb1f373849
Author: Aaron Wells <email address hidden>
Date: Thu Apr 3 10:17:06 2014 +1300

Autodetect the location of the magicdb

Bug 1249858

Change-Id: I795fe6540e3ef8d6fcca97303c7217455eedd038

Reviewed: https://reviews.mahara.org/3187
Committed: http://gitorious.org/mahara/mahara/commit/94760a7230c50878c308a85f8dd16065667515dd
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.8_STABLE

commit 94760a7230c50878c308a85f8dd16065667515dd
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 12:35:48 2014 +1300

Fixing up the location of the png file to check (Bug #1249858)

Signed-off-by: Robert Lyon <email address hidden>

Change-Id: If428554c6ae728d6e742dab1c7ab927d1080305c

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3193

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3192

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3195

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3196

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3194

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3197

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3198

Reviewed: https://reviews.mahara.org/3192
Committed: http://gitorious.org/mahara/mahara/commit/e8e2802735356f2f1367508c38bf17274dbc3c4f
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit e8e2802735356f2f1367508c38bf17274dbc3c4f
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:41:22 2014 +1300

Pass original filename to file_mime_type()

Bug 1249858: When being called for file uploads, file_mime_type()
is getting the PHP temp upload file's filename, and so the attempt
to check the file extension is always unsuccessful because those
temp file names are gibberish

Change-Id: I631ca8c80316919b6aefc9712b68017d752ba942

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3193
Committed: http://gitorious.org/mahara/mahara/commit/f1ed6e561d942db87a8bf4d302ef8683fbab21a7
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit f1ed6e561d942db87a8bf4d302ef8683fbab21a7
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 16:42:25 2014 +1300

Allow users to specify magicdb location (or use PHP's default)

Bug 1249858

Change-Id: I49c0738bbb154f769ab7f80def3ddb983fe836a1

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3194
Committed: http://gitorious.org/mahara/mahara/commit/e5073aae2d4d5d55f206c8d8b90d1515fe24f712
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit e5073aae2d4d5d55f206c8d8b90d1515fe24f712
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 17:11:15 2014 +1300

Use the PHP internal magicdb as the default

Bug 1249858

Change-Id: I1d02db529740f4b68a3c6075b2cef0e3d94578e3

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3195
Committed: http://gitorious.org/mahara/mahara/commit/0adbb72b254759b02488b421279968add264b358
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit 0adbb72b254759b02488b421279968add264b358
Author: Aaron Wells <email address hidden>
Date: Wed Apr 2 17:11:56 2014 +1300

FILEINFO_MIME_TYPE is always present in PHP 5.3+, and that's all we support now

Bug 1249858

Change-Id: If6c978cbf32f465469229bc093cd086e758f7147

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3196
Committed: http://gitorious.org/mahara/mahara/commit/459d37af2a0eab3e2bc141fbc724b50781c40a3a
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit 459d37af2a0eab3e2bc141fbc724b50781c40a3a
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 09:46:30 2014 +1300

Prefer fileinfo detected mimetype over browser-supplied mimetype (Bug #1249858)

Browsers can get the their mimetypes for certain things mixed up if
they visit badly written websites. So we should trust magicdb over
what the browser tells us.

Change-Id: I477580d55a70f7e2d03385897a6ec02166506908
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3189
Committed: http://gitorious.org/mahara/mahara/commit/d05d2da36cef50dd1bf1eb12e817842ea38fd9b3
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit d05d2da36cef50dd1bf1eb12e817842ea38fd9b3
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 11:19:21 2014 +1300

Autodetect the location of the magicdb

Bug 1249858

Change-Id: I1531c0da4ffb1044817e2ff6be14dd7a50ceb5e6
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3190
Committed: http://gitorious.org/mahara/mahara/commit/899b2b3bc442fbd8ef17559dfe3c0e970556a237
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 899b2b3bc442fbd8ef17559dfe3c0e970556a237
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 12:35:48 2014 +1300

Fixing up the location of the png file to check (Bug #1249858)

Signed-off-by: Robert Lyon <email address hidden>

Change-Id: If428554c6ae728d6e742dab1c7ab927d1080305c

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3197
Committed: http://gitorious.org/mahara/mahara/commit/e6535bf13ab79bbc1de8f98b16d9d6d860462877
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit e6535bf13ab79bbc1de8f98b16d9d6d860462877
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 11:19:21 2014 +1300

Autodetect the location of the magicdb

Bug 1249858

Change-Id: I1531c0da4ffb1044817e2ff6be14dd7a50ceb5e6
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3198
Committed: http://gitorious.org/mahara/mahara/commit/f34b5db91b7335f348879b8352abefde317d8d7b
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit f34b5db91b7335f348879b8352abefde317d8d7b
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 12:35:48 2014 +1300

Fixing up the location of the png file to check (Bug #1249858)

Signed-off-by: Robert Lyon <email address hidden>

Change-Id: If428554c6ae728d6e742dab1c7ab927d1080305c

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3185
Committed: http://gitorious.org/mahara/mahara/commit/92e20adb568a5d27ba0e01eff214d90cfe75df5d
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.7_STABLE

commit 92e20adb568a5d27ba0e01eff214d90cfe75df5d
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 09:46:30 2014 +1300

Prefer fileinfo detected mimetype over browser-supplied mimetype (Bug #1249858)

Browsers can get the their mimetypes for certain things mixed up if
they visit badly written websites. So we should trust magicdb over
what the browser tells us.

Change-Id: I477580d55a70f7e2d03385897a6ec02166506908
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3186
Committed: http://gitorious.org/mahara/mahara/commit/4284106c67bbbea9cfb6858f7a44e21eacb1e512
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.6_STABLE

commit 4284106c67bbbea9cfb6858f7a44e21eacb1e512
Author: Robert Lyon <email address hidden>
Date: Thu Apr 3 09:46:30 2014 +1300

Prefer fileinfo detected mimetype over browser-supplied mimetype (Bug #1249858)

Browsers can get the their mimetypes for certain things mixed up if
they visit badly written websites. So we should trust magicdb over
what the browser tells us.

Change-Id: I477580d55a70f7e2d03385897a6ec02166506908
Signed-off-by: Robert Lyon <email address hidden>

Aaron Wells (u-aaronw) wrote :

Wow, that was a lot of code! So here's what we wound up doing:

1. Added some logic that tries different magicdb locations at install or upgrade time. If it finds one that works, it stores that in a config option and always uses that one. If it finds that none work, then it won't try to use fileinfo in the future.

2. Added a config-defaults.php option for advanced users to specify a different magic db location.

3. Added a parameter to file_mime_type() that allows it to get the original (uploaded) name of the file, so that if fileinfo doesn't work we can check the file's extension.

4. Changed the upload code so that it trusts file_mime_type() more than it trusts the browser-supplied mimetype

Aaron Wells (u-aaronw) on 2014-04-03
Changed in mahara:
milestone: 1.10.0 → 1.9.0
no longer affects: mahara/1.9
Robert Lyon (robertl-9) on 2014-04-22
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.