Open Compro-Prasad opened 6 years ago
You mean MIME Type checking ?
Yes. But I am unsure if it reveals the extension's format or it actually reads file headers(first few bytes) like file
command does. Because some people try to re-upload the file by just changing the extension which is not preferable from many standpoints.
Then, probably there is no better way. Also, as files are uploaded by staffs, not normal user and uploaded files are never executed (dajngo even never executes any arbitrary python files). So extension checking is good enough. MIME checking will just allow some extra layer. But, either way sever is never effected.
Then do whatever is best for now.
Allow documents and compressed files only.