Comment 18 for bug 1249858

Update: in 1.8, we already trust the file_mime_type() result more than the browser-supplied mimetype.

So now the way it works is:

1. Use finfo result if available

2. Use file extension if available

3. Use browser mime type if none of those matched

And when using *any* of these mime types, we only accept it if it matches a mime type in our artefact_file_mime_types table, which comes from the artefact/file/filetypes.xml file. If it's not a recognized mime type, we fall back to application/octet-stream.

When serving files up, we always serve the mime type stored in the DB, i.e. one of the ones from artefact/file/filetypes.xml. And files served with the HTML mimetype are always sent as force-download, or passed through htmlpurifier. So, there's not really much of a security threat from trusting the user-supplied (either the file extension or the browser mimetype). Thus I think we should continue with trusting those as a fallback if finfo() fails.