search

victorjonsson / jQuery-Form-Validator

[DISCONTINUED] jQuery plugin that makes it easy to validate user input while keeping your HTML markup clean from javascript code.
972 stars 476 forks source link

mime type validation fails if I change the extension of the file #607

Open forreggbor opened 7 years ago

forreggbor commented 7 years ago

If I rename a PNG file's extension from .png to .jpg and using the following input field to validate then it accept as valid JPG file. If I rename back to .png then it refuse as it is not a jpg. I attached the PNG file.

<input type="file" data-validation="mime" data-validation-allowing="jpg" name="dailyfile" id="dailyfile" class="dailyfile_input form-control">

shoot_001

victorjonsson commented 7 years ago

What behaviour did you expect?

forreggbor commented 7 years ago

In my opinion the mime type verification is different than the file extension verification. I can write any kind of extension into a file name but the real content doesn't change. With mime type check the content shuold be checked. So what I expect is that if the form accept only JPG file I wouldn't be able to upload any other type of file with .jpg extension.

victorjonsson commented 7 years ago

That is the expected behaviour but it depends on capabilities of the browser. Which browser did you use?

forreggbor commented 7 years ago

Google Chrome 59

forreggbor commented 7 years ago

and I just did a test in Firefox 54. Same result. I can upload ANY kind of file if I rename the extension to .jpg. I just uploaded an .xls file with .jpg extension and worked. The validation filter out the file only if the extension is not .jpg. It looks like the mime type validation doesn't work at all but rather works like an extension validation. Could it be possible or am I do somwthing wrong?

forreggbor commented 7 years ago

I did one more test with IE11. Same result. Summary of the my tests: Chrome 59, Firefox 54 on Linux and Windows 7 and 10: FAIL IE11 on Windows 7: FAIL

victorjonsson commented 7 years ago

Great, I'll look into it 👍

victorjonsson commented 7 years ago

You simply can't trust the mime type reported by the browser. https://stackoverflow.com/questions/1201945/how-is-mime-type-of-an-uploaded-file-determined-by-browser

I'll mark this as an improvement request since this validator actually can inspect the bytes of the file to determine the correct mime type (more can be read about this subject here: https://stackoverflow.com/questions/18299806/how-to-check-file-mime-type-with-javascript-before-upload)