I've got a server script receiving an uploaded file from Javascript.
Client-side, using a File object (from the W3C File API) and code similar to this line:
if (file.type.indexOf("text") == 0) { ... }
one can perform a check of the file type. Apparently, this uses a MIME type (which returns these strings).
In my journeys here through SO, I ventured across this worthy contributor, who maintains that MIME types are useless.
Are MIME types indeed basically useless in a file upload situation, and any type checking should therefore occur server-side?
I've got a server script receiving an uploaded file from Javascript.
Client-side, using a File object (from the W3C File API) and code similar to this line:
if (file.type.indexOf("text") == 0) { ... }
one can perform a check of the file type. Apparently, this uses a MIME type (which returns these strings).
In my journeys here through SO, I ventured across this worthy contributor, who maintains that MIME types are useless.
Are MIME types indeed basically useless in a file upload situation, and any type checking should therefore occur server-side?
Share Improve this question edited Oct 7, 2021 at 5:54 CommunityBot 11 silver badge asked Apr 26, 2012 at 7:39 BenBen 57.3k50 gold badges184 silver badges229 bronze badges2 Answers
Reset to default 5That contributor maintains that all MIME type checking is useless, client or server-side.
And to some degree he's right. MIME type checking is always based on sniffing certain characteristics of a file. His example: a PDF file should start with something like %PDF-1.4. But a file that starts with %PDF-1.4 is not necessarily a PDF file. (Simplified explanation.)
A user can put all the right hints in all the right places so a MIME detector would detect the file as some specific type, because it's looking at those particular hints. But then the rest of the file could be something pletely different. If you go that far though, what is it that makes a file of a certain type then? It's all just binary gobbledygook. In the end the only way you can make sure a file is a valid file of type X is by trying to open and parse it with a parser that expects files of type X. If it parses correctly, it's a file useful as type X. If it walks like a duck, quacks like a duck...
With that in mind, trying to parse the file is better than sniffing the MIME type server-side is better than sniffing the MIME-type client side is better than taking the user's word for what type of file it is. Note that client-side MIME type sniffing is just as unreliable as taking the user's word for anything, since it all happens client-side.
The contributer is correct. You can't rely merely on MIME type checking to truly validate a file. It's only useful for quick lookups. For instance, on the client side, you can check the MIME type of a file before it is sent to the server, just in case the user chose the wrong file type, saving time and bandwidth. Apologies for the liberal use of mas!