I would advise against using this

[alexbudin]

With this library you are getting the mime type based on the file extension and not the actual mime type of the file, based on the file content (the actual binary data), which is s HUGE security problem. If someone uses this with form submitted files, they are introducing a massive security hole in their code as the extension of the file can be easily changed by anyone so that they can easily upload a file.

You must place a warning in your readme so that this is not used for form upload purposes or for public facing projects.

Have a look at how PHP does this with the function mime_content_type and look for actual code and you will see that it actually opens the file to read the first bytes.

I realize that you specify that this library determines the mime type from an extension, but you need to warn people about the dangers of that in case someone less experienced uses this for production ready projects where security is very important.

Hope this helps and does not get deleted.

[josantonius]

Hi @alexbudin,

This library does not work with files, not even filenames. It is impossible for this library to cause any security problems because it is simply a collection that translates a mime type into its extension and vice versa.

I've used this library on an educational website that lists and then asks for Mime Types, there's no reason to prevent it from being used on a public project like this or similar.

That people could validate a file by doing MimeType::getMime(pathinfo('file.pdf', PATHINFO_EXTENSION)) == 'application/pdf'? Could be, they can also do pathinfo('file.pdf', PATHINFO_EXTENSION) == 'pdf' and the PHP documentation warns nothing about it.

Anyway, I will try to specify better what it does to avoid confusion.

Thank you!

[alexbudin]

I know exactly what you mean. I'm just seeing a more and more people who use methods like this to validate a mime type when data is being submitted to the backend, and its better that developers that don't have yet a lot of experience know exactly what this does and doesn't and where to use it and where not to - its all for safer projects :)

Thank you.