2

I have a application that allows upload of PDF files and compressed files (zip, rar, tar, etc...). I'm using this list of MIME types as reference to check the type of the files.

Here is PHP snippet for upload:

//this function is called by AJAX
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$check= finfo_file($finfo,$file["tmp_name"]);
finfo_close($finfo);

if ($check != 'application/pdf' && $check != 'application/x-rar-compressed' && $check != 'application/x-rar'
    && $check != 'application/zip' && $check != 'application/x-compressed' && $check != 'application/x-zip-compressed' && $check != 'multipart/x-zip'
    && $check != 'application/octet-stream' && $check != 'application/gzip' && $check != 'application/tar'
    && $check != 'application/tar+gzip') {
        echo json_encode(array('msg'=>'error. Try PDF or compressed file (zip, rar)'));exit();
}
if ($file['size'] > 10485760) { //10 MB
    echo json_encode(array('msg'=>'error. Max size is 10MB'));exit();
}
$upload = new Upload($file);//Helper class to upload files
//the file is saved

All working fine in my local environment and also in the server when I make the tests, but my client is using a PDF file that is throwing the "error. Try PDF or compressed file (zip, rar)".

I got the same file that he's using(by email) and when I test on my local machine all works fine. In the debug, the $check var has the value application/pdf.

Looking for any solution I found this question in SO and now I thinking. Should I include the application/vnd.pdf, application/x-pdf or even text/pdf in the first if block? It could compromise my application?

I'm using Firefox, but also tested in Chrome and Opera. He noted this bug in IE11, but also in Chrome. Is it possible that his computer or the browser is changing the MIME type?

Note: The problematic file has a name like "file.PDF"(PDF is Caps Lock), but I don't think it is causing the problem. As I said, the same file works in my tests.

UPDATE

Following the @fusion3k's suggestion in the comments, I printed the $check var with the error message. Now when I try to upload a image for example I get:

Try PDF or compressed file (zip, rar). image/jpeg

The problem now is that the problematic files (it's more than one now) are printing a empty string after error message and I don't know what to do, once the MIME type is, apparently, empty.

According to the user, the PDF is generated by a old scanner and I think that could be the problem, but the strange thing is the same file (when sent to me by e-mail) working fine.

Community
  • 1
  • 1
James
  • 1,646
  • 2
  • 33
  • 52
  • 1
    Try changing && to || as the same file can not have all the mimetypes associated with it. – jeff Jan 27 '16 at 23:28
  • @jeff Thanks for the help, but how does it help? Once the file can't have two different types at the same time, the effect wouldn't be the same? Anyway, I'll try to change it to see if I notice any difference. – James Jan 28 '16 at 00:26
  • 1
    1) you can add to error msg the value of `$check` to test the mime value on the server; 2) to see if the problem is caused by uppercase extension, you can check the mime_type for `strtolower($file[tmp_name])`. When you have isolated the problem, you can decide if add new mime_types to check. I don't think that adding above mime_types can compromise yr application. – fusion3k Jan 28 '16 at 02:04
  • Thanks for the tip @fusion3k. I had not thought of that. Now I have a new problem, I printed `$check` with the error message, but when my client tries to upload the file, the var `$check` is empty. I'll update the question with this new information. – James Jan 29 '16 at 12:29
  • 1
    If the `$check` value is empty, so the fails is before, at `finfo_file()`; are you sure that the file is properly loaded (`$file['tmp_name']` is not empty?) – fusion3k Jan 29 '16 at 12:47
  • Well, in my tests (either localhost and in the server) the same file works fine. Many other files also works fine, so I don't think that the problem is in `$file['tmp_name']`. Am I missing anything? – James Jan 29 '16 at 13:17

0 Answers0