File manager changes the extension of the uploaded file

YouweGit / FileManager

A secure file manager bundle for symfony2

MIT License

14 stars 15 forks source link

File manager changes the extension of the uploaded file #3

Closed ctrl-f5 closed 7 years ago

ctrl-f5 commented 8 years ago

e.g.: postscript files have their extension changed to ai which is not correct.

Why are the extensions changed anyway? at least for files that already have an extension?

EazyAlvaro commented 8 years ago

@ctrl-f5 this is somehwat of an intended behavior. If i recall correctly extensions are forced based on mimetype for reasons of security. (renameable extensions are somewhat of an exploit vector)

as can be seen from the doc ( https://github.com/YouweGit/FileManager/blob/master/Resources/doc/index.md ) only certain mimetypes are allowed/supported

question: what mimetype do your postscript files have ?

ctrl-f5 commented 8 years ago

the files have the correct mimetype: application/postscript But the symfony MimeTypeExtensionGuesser converts all postscript file extensions to ai, which is in my eyes the most incorrect one, but it's irrelevant which one it chooses, since it should just keep the existing one if it is valid.

Their list is built from the apache httpd mimetype list, which also contains the correct psand eps extensions, but they've chosen to only work with the first one.

I'm thinking of just writing my own extension guesser to validate postscript files and register it to the service, but this problem could occur for more mime types in the future...

EazyAlvaro commented 8 years ago

@ctrl-f5 alternatively you could fork and add your own mimetypes as needed to the allowed list.

You may want to look at https://github.com/YouweGit/FileManager/blob/master/Model/FileInfo.php but again, this is from memory on a friday afternoon :)

I'll have to look up what exploits you could do with a postscript file in a website, in the meanwhile

ctrl-f5 commented 8 years ago

Ok, I'll have a look at how I can solve this in my userland code and if I can maybe contribute some improvements here for this problem.

ctrl-f5 commented 8 years ago

I've made a PR to add the option to keep original extensions, could you have a look at it?

EazyAlvaro commented 8 years ago

i will, sorry, had a week off, have a lot to catch up on.

alexraileanu commented 7 years ago

closed for inactivity.

ctrl-f5 commented 7 years ago

nice...