Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Formidable detects MIME-type according to the file extension and not by the real content
See original GitHub issueSupport plan
- which support plan is this issue covered by? (e.g. Community, Sponsor, or Enterprise): Community
- is this issue currently blocking your project? (yes/no): no
- is this issue affecting a production system? (yes/no): yes
Context
- node version: 16.4.2
- module (formidable) version: 3.0.0-canary.20210428
- environment (e.g. node, browser, native, OS): Node.js
- used with (i.e. popular names of modules):
- any other relevant information: Formidable detects MIME-type according to the file extension and not by the real content. Which means that user can fake the file MIME by changing file’s extension and as a result to upload to the server not allowed file types.
BTW, multer detects file’s MIME not by the extension only.
What are you trying to achieve or the steps to reproduce?
- Given JPG file
tst.jpg - Rename it to
tst.pdf - Set a break point inside of
uploader.parse(req, async (err, fields, files) => {…} - Try to upload
tst.pdf
uploader.parse(req, async (err, fields, files) => {
if (err) {
reject(err);
} else {…}
});
What was the result you got?
mimetype = application/pdf
What result did you expect?
mimetype = image/jpeg
Since this file is actually JPG file but with a from extension.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:18 (10 by maintainers)
Top Results From Across the Web
Developers - Formidable detects MIME-type according to the file ...
Formidable detects MIME-type according to the file extension and not by the real content.
Read more >MIME types (IANA media types) - HTTP - MDN Web Docs
A media type (also known as a Multipurpose Internet Mail Extensions or MIME type) indicates the nature and format of a document, file, ......
Read more >Formidable - npm
A Node.js module for parsing form data, especially file uploads. ... If you have any how-to kind of questions, please read the Contributing...
Read more >422 error when file extension does not match mime type - Drupal
When uploading a file where the extension doesn't match the detected mime type, a 422 error is returned. Drupal stores an array of...
Read more >File upload | NestJS - A progressive Node.js framework
By default, multer derives file type from file extension on user's device. However, it does not check actual file contents. As files can...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I’m happy user of mmmagic. It was chosen ~6 years ago for execution inside aws lambda because of speed. But for formidable I would suggest to make it plugin-able. I mean not a specific plugin, but just a parameter like:
Or plugin which allows custom logic.
https://github.com/vader-sama/typective similar to magic-bytes but works with streams
Also remember that a valid number does not prove anything at the end, I remember it was possible to make valid jpeg files that were also valid php files, which was one way to hack a server that looked like it did everything correct.