manassehkatz
commented
9 months ago TL;DR "browsers don't have to guess" is properly via mimetype, not extension.
Extensions are not the answer. They (a) can be faked, which can cause problems in some circumstances, which is one reason why some applications ignore the extension (though Windows in general relies on it for local files), (b) don't always exist depending on the system/browser/application uploading the file. The right way to do this is to:
- Determine (via a number of possible methods) the file type, which is essentially what the extension represents, as part of the upload/storage (into S3 or server filesystem) process.
- Store the filetype with a record describing the file
- When a file is downloaded (e.g., to a browser), use the filetype to determine the mimetype - e.g., JPEG files may have an extension of .jpg or .jpeg or a magic number of FF D8 FF, or any other method as appropriate to determine "yes, this is a JPEG file", and then always serve up the file with a mimetype of image/jpeg
If the files are being stored and served without a database table that stores relevant information (who uploaded it, when was it uploaded, what is it for, original filename, filetype, etc.) then yes, extension is a common method of handling this:
- Add or replace original extension with .jpg for jpeg, etc. after determining actual filetype
- When downloading, set mimetype based on extension.
meta:278103 meta:288647
When uploading images, we should save the file extension so that we can then serve it with an extension so that browsers don't have to guess. If we don't need think we'll ever need the original name of the file for debbugging, we can generate the unique name as now and append the file extension. If we think the name could be helpful, we can prepend the unique name to the full file name, e.g.
15akfheqatryeiqyfef-screenshot.png.Update: see first comment.