Collaborate Disseminate
I am writing a simple server for file uploading. I want to be able to rename uploaded files (including the file extension) and download files.
For validating the file to upload my plan was to check if the mime type, the file extension and … Continue reading How to handle mime types, file extension and magic number on file upload, renaming and file download?
Let’s say I have a file named foo.sh.jpg or foo.exe.jpg. FastAPI automatically assigns a content-type: image/jpeg in both cases so if you check the MIME type you technically have an image. I wanted to know if by also having a .sh extension… Continue reading Is it bad to upload a file with an extension like .sh.jpg in FastAPI?
I have read about X-Content-Type-Options and it says often that it protects against IE mime sniffing problems.
I am wondering if in 2021 it is still valid and a problem for modern browsers? In other words, will it be beneficial for my web … Continue reading Is mime-sniffing still something to protect against with modern browsers (with X-Content-Type-Options)?
My code is that
if (in_array($file_ext, $extensions)) {
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $file_tmp);
if ($mime == ‘application/msword’ || $mime == ‘image/gif’ … Continue reading why the internal server error occured when using finfo_file function? [closed]
$_FILES[‘userfile’][‘type’] == "image/gif"
There is a problem to choose not only image.gif but whatever name is, such as *.gif . And, if it is possible, can you share some regex expressions for all names and especially image ext… Continue reading How to choose specific file names in php code? [migrated]
I’m trying to intercept and decipher scripted code that is sent to a previously installed Windows application, after a user have clicked on a particular URL in their web browser which is somehow returning a MIME response that is intercepte… Continue reading How to intercept application specific MIME types used by 3rd party (Windows) browser/plugins apps?
In order to write an application for myself that prevents me from visiting websites that let me download files of a certain type, I am trying to find a way to reliably tell if an URL lets me download a file and if so then tell me the filen… Continue reading How could a software reliably tell if an URL makes me download a file and what its filename and mimetype are? (without downloading the file) [migrated]
I am putting together an email and have been asked to embed the images and to reference their ContentID in the HTML so that the email is self contained (no requests out to download the images from our CDN).
This is a process that I’m not v… Continue reading Security Risks of CID Image Embed?
I found a strange behavior of Shopify, where an attacker can change the extension on a URL and the backend will send back an HTTP content-type matching that extension, for each of these extensions:
atom: application/atom+xml
bmp: image/bm… Continue reading Letting attacker control content-type, why is this safe?
The security team of my company is stating that content spoofing occurs when they send a different “content-type” for an HTTP request that only accepts JSON content type, and the server response is an error HTML page, natural… Continue reading Is it necessarily Content spoofing if the content type of the response does not match the content type of the request?