RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.45k stars 10.53k forks source link

IE11 rejects allowed MIME types #15472

Open JoshMcCullough opened 5 years ago

JoshMcCullough commented 5 years ago

Description:

Some MIME types configured in Admin > File Upload are disallowed still in IE11, but allowed in other browsers, e.g. Chrome.

Steps to reproduce:

  1. Add the following MIME types to Admin > File Upload: application/vnd.google-earth.kml+xml,application/vnd.google-earth.kmz
  2. In IE, attempt to upload a file with the kml or kmz extension -- note that the file is rejected / not allowed.
  3. Try the same in Chrome -- note that the file is accepted.

Expected behavior:

File types should be honored based on the configuration.

Actual behavior:

Allowed file types are rejected in IE11.

Server Setup Information:

Additional context

Note that the Network tab of IE11's developer tools does not show any network activity, so this rejection is happening locally within the browser as far as I can tell.

JoshMcCullough commented 4 years ago

I guess this must be an IE issue where it's just reporting the generic application/octet-stream MIME type for some files that it "doesn't know about" e.g. KMZ/KML. Probably nothing for RC to do here.

JoshMcCullough commented 4 years ago

Following up on my last thought, it seems bad that RC is limiting based on MIME type rather than simply extension. It relies on the user's system having these MIME types defined, whereas we probably don't care, and there is no guarantee that the file they're uploading actually is of the MIME type, but just that the extension matches and was found in the system's registry.

I suggest that RC should look at the file extension when determining if a file is allows or not. This would be much more flexible.

JoshMcCullough commented 4 years ago

This is more than an IE issue. IMO RC should not rely on the browser's interpretation of a media type for a give file being uploaded -- it is often wrong or non-existent. For instance, we have some obscure extension (not specific media types) we need to allow users to upload. But we can't since the browser comes up with an empty/null media type (e.g. for the extension "dat" -- which could map to many media types).

If the browser can't determine the media type, RC won't upload the file.

I suggest that RC should allow us to configure allowed file extensions rather than media types as it is far more flexible. Otherwise, RC should do the media type validation on the server side using a library such as tika.

ggazzo commented 4 years ago

@JoshMcCullough what do you think about this proposal?

https://github.com/RocketChat/Rocket.Chat.Apps-engine/pull/239

JoshMcCullough commented 4 years ago

I don't have enough background on RC's code to be helpful here, unfortunately.

github-actions[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

JoshMcCullough commented 4 years ago

Don't you dare, bot!

JoshMcCullough commented 1 year ago

Related to: