Can I rely on MIME TYPE when checking for JavaScript if the downloaded file has an audio, video, or image type?

Question

Can I rely on MIME TYPE when checking for JavaScript if the downloaded file has an audio, video, or image type?

I know that from a security point of view, this is unsafe. But I want to use javascript code for convenience. So, like a first pass. My goal is to avoid false positives, i.e. This is normal if a malicious hacker manipulated the file to have mime types that I accept (because I will do a second pass on the server side), but I would like to prevent files with permissions from being detected as a problem.

UPDATE

Prototype working solution http://jsfiddle.net/tankchintan/5EUjE/1/

+4

javascript mime-types file-type

Chantz Apr 11 '11 at 0:42

source share

1 answer

alex · Accepted Answer · 2011-04-11T00:46:58+0000

This is normal as long as you confirm the type on the server side.

Using it on the client will be just a convenience for the end user. How do you define a mime type? If this is just an extension, you can simply check for a valid extension on the client side.

Update

This seems to be just a mapping of extensions to file types, since png , renamed as mp3 is mpeg/audio to code.

So, make sure that you check the type on the server by checking the contents of the file, not its extension.

Can I rely on MIME TYPE when checking for JavaScript if the downloaded file has an audio, video, or image type?

Update

More articles: