New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong mime type detection for CSV files #6148
Comments
You may want to turn off |
yes , @cebe is right , also as a possible solution you can override |
Well, the magic file has the correct assignment for csv: https://github.com/yiisoft/yii2/blob/master/framework/helpers/mimeTypes.php#L147 |
The problem is, that here https://github.com/yiisoft/yii2/blob/master/framework/validators/FileValidator.php#L315 |
Line 315 passes |
Oh, right. So it seems that PHP's fileinfo detects the wrong mime type for me. I've tested with 2 simple CSV files:
and
In both cases I get https://github.com/yiisoft/yii2/blob/master/framework/helpers/BaseFileHelper.php#L147 |
It's the same for many plain text types. As I remember correctly, it fails to detect JSON as well. |
Same problem uploading Setting [['file'], 'file', 'skipOnEmpty' => false, 'extensions' => ['xls', 'xlsx'] ] I set file check by extension, not mime type (using I suppose that it will be helpful at least explain this behavior in 'Uploading Files' article, which now is absolutely wrong:
Better choice is to switch default behavior of extension validator to validate on extension. but not mime type and mention in docs possibility to perform check mime type by setting extensions list for those who doesn't know actual mime types of files to work with Thank you! |
I think it is better to correct docs rather than make security issues |
This will be no security issue in this change, you still can perform check on mime type if you really want! We have to checks: extension and mime, so I select extension, but system checks on mime. |
if we set it ot |
But now, people, who doesn't know about mime types use 'extensions' => ['xls', 'xlsx'] and get only |
it is security issue by default , that is why it is |
My goal is to make it work correctly. It works for me now with I suppose changing default magic file will help too. Biggest problem now is that documentation now contrary to real behavior. |
as i said you can submit PR for docs , that will help . It is better to clarify such things in docs rather than make any security vulnerabilities |
To say this is a vulnerability is the same as to say we should always encode values read from AR for example. If the developer asks to conduct simple extension check why would we silently check some unrelated stuff behind his back? |
your comparison is incorrect , it would be correctly if we say |
@qiangxue, please, consider changing at least documentation. But I think that it is absolutely wrong to perform check on mimeType and name it extension check by default. Thank you! |
I've used a file validator like this:
Even if i upload a valid CSV file, i always get the error "Only files with these extensions are allowed: csv.".
The reason is, that in
FileValidator::validateExtension()
the mime type is detected as "text/plain" instead of "text/csv". ThusFileHelper::getExtensionsByMimeType()
doesn't returncsv
as valid extension.The text was updated successfully, but these errors were encountered: