Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Order of file size check and mime type check should be changed #9

Open
trawick opened this issue Jan 2, 2016 · 0 comments
Open

Order of file size check and mime type check should be changed #9

trawick opened this issue Jan 2, 2016 · 0 comments

Comments

@trawick
Copy link

trawick commented Jan 2, 2016

With .doc files from older MS Word, libmagic via the buffer interface on Unbuntu 14 is unable to identify the mime type unless the entire file is passed in the buffer. (Perhaps this issue occurs with other MIME types as well.) Otherwise, the returned mime type is "application/CDFV2-corrupt", which should fail the content-type check. The user will be told that "application/CDFV2-corrupt" is not supported, which is not something they can deal with effectively. A partial work-around for this is to set mime_upload_length to the max file size supported so that the entire file contents are provided to libmagic. However, that has a remaining case where the user is unnecessarily misled by an error message:

  • if the actual mime type is "application/msword" but the file size exceeds the limit (and thus mime_upload_length), the error presented to the user will be a mime type error (because not enough data was passed to libmagic) instead of a file length error.

This confusing message can be resolved simply by changing the order of the file size and mime type checks.

(For some use cases this still might not be a workable solution because of the need to process the file contents in memory. That could be mitigated by reading additional data if the data in a "small" buffer cannot be identified.)
trawick added a commit to trawick/django-validated-file that referenced this issue Jan 6, 2016
@trawick
Fixes kaleidos#9: Validate file size before content type
d6e7728 
Aside from the fact that checking size is cheaper, this change fixes
a misleading and confusing message described in issue kaleidos#9, where a
user uploading a MS Word .doc file which is too big is told incorrectly
that the content type is wrong.

The tests were changed to work (only) with Django 1.6 and
above, which changed humanize to add a non-breaking space (\xa0)
between a value and its unit.  See this ticket for more
details:

  https://code.djangoproject.com/ticket/20246

I tested with these dependencies along with Python 2.7.6:

  Django==1.6.11
  python-magic==0.4.10
@trawick trawick mentioned this issue Jan 6, 2016
Open
@trawick trawick changed the title Consider changing order of file size check and mime type check Order of file size check and mime type check should be changed Jan 6, 2016
@rob-hills rob-hills mentioned this issue Apr 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@trawick