Status/Resolution/Reason: Closed/Fixed/
Reporter/Name(from Bugbase): Henry Ho / Henry Ho (Henry Ho)
Created: 03/18/2016
Components: Security
Versions: 10.0
Failure Type:
Found In Build/Fixed In Build: Final /
Priority/Frequency: Normal / All users will encounter
Locale/System: English / Win All
Vote Count: 1
Problem Description:
FileGetMimeType() with default strict = true cannot tell a fake jpeg that's really an executable.
Steps to Reproduce:
Rename any exe (e.g. 7z.exe from 7zip and gm.exe from GraphicsMagick) file to fake.jpg
FileGetMimeType('fake.jpg'), but fileupload() with strict=true identifies the file correctly as "application/octet-stream"
Actual Result:
"image/jpg"
Expected Result:
"application/ms-download" before it's renamed, or better yet "application/octet-stream"
Any Workarounds:
For images: IsImageFile() seems more reliable
For the rest, cannot count on this broken function!
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 4130274
External Customer Info:
External Company:
External Customer Name: Henry Ho
External Customer Email:
External Test Config: My Hardware and Environment details:
Attachments:
Comments: