Update: in 1.8, we already trust the file_mime_type() result more than the browser-supplied mimetype.
So now the way it works is:
1. Use finfo result if available
2. Use file extension if available
3. Use browser mime type if none of those matched
And when using *any* of these mime types, we only accept it if it matches a mime type in our artefact_file_mime_types table, which comes from the artefact/file/filetypes.xml file. If it's not a recognized mime type, we fall back to application/octet-stream.
When serving files up, we always serve the mime type stored in the DB, i.e. one of the ones from artefact/file/filetypes.xml. And files served with the HTML mimetype are always sent as force-download, or passed through htmlpurifier. So, there's not really much of a security threat from trusting the user-supplied (either the file extension or the browser mimetype). Thus I think we should continue with trusting those as a fallback if finfo() fails.
Update: in 1.8, we already trust the file_mime_type() result more than the browser-supplied mimetype.
So now the way it works is:
1. Use finfo result if available
2. Use file extension if available
3. Use browser mime type if none of those matched
And when using *any* of these mime types, we only accept it if it matches a mime type in our artefact_ file_mime_ types table, which comes from the artefact/ file/filetypes. xml file. If it's not a recognized mime type, we fall back to application/ octet-stream.
When serving files up, we always serve the mime type stored in the DB, i.e. one of the ones from artefact/ file/filetypes. xml. And files served with the HTML mimetype are always sent as force-download, or passed through htmlpurifier. So, there's not really much of a security threat from trusting the user-supplied (either the file extension or the browser mimetype). Thus I think we should continue with trusting those as a fallback if finfo() fails.