Change Mahara's content-sniffing to match the WHATWG standard
Bug #1564715 reported by
Aaron Wells
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
WHATWG (Web Hypertext Application Technology Working Group) is basically the official specification organization for HTML5. They've written up some specifications about the correct & secure way that HTTP clients & servers ought to deal with file content types aka MIME types: https:/
Changed in mahara: | |
milestone: | none → 16.10.0 |
status: | New → Confirmed |
Changed in mahara: | |
milestone: | 16.10.0 → 16.10.1 |
Changed in mahara: | |
milestone: | 16.10.1 → 17.04.0 |
Changed in mahara: | |
importance: | Undecided → Medium |
milestone: | 17.04.0 → 17.10.0 |
Changed in mahara: | |
milestone: | 17.10.0 → 18.04.0 |
Changed in mahara: | |
milestone: | 18.04.0 → 18.10.0 |
Changed in mahara: | |
milestone: | 18.10.0 → 19.04.0 |
Changed in mahara: | |
importance: | Medium → Wishlist |
milestone: | 19.04.0 → none |
To post a comment you must log in.
For comparison, Mahara's current system is basically:
1. Examine the file suffix of the file and see if it matches one in our list octet-stream" .
2. If that doesn't work, try it using the PHP finfo() command (which relies on libmagic's "magicdb" file)
3. If finfo is not available, or we can't find the magicdb file, try it using the PHP mime_content_type() command (which relies on the system's "magic.mime" file.
4. If that doesn't work, return the generic "application/
We also try to mitigate the possible threat posed by incorrect Mimetypes, by adding "Content- Disposition: attachment" to files unless they're being served inline (like the "src" of an image tag, or an HTML5 audio/video), to try to prevent the browser from handling the file directly.