To correctly detect content type of file in some cases file extension should be used in addition to magic detection. Such cases include custom extensions with .zip contents, .dotx / .docx files which have same magic signature, and others.
This approach keeps protection from spoofing intact, which would not be guaranteed if Marcel::MimeType.for were used.
This should also resolve issues described in #2704
mshibuya
commented
7 months ago
To correctly detect content type of file in some cases file extension should be used in addition to magic detection. Such cases include custom extensions with .zip contents, .dotx / .docx files which have same magic signature, and others.
This approach keeps protection from spoofing intact, which would not be guaranteed if
Marcel::MimeType.forwere used.This should also resolve issues described in #2704