Question about File Upload Security announcement on May 20th regarding file names and mimtypes.

This is probably a dumb question cuz I'm really new to coding, but there is an #💫┊announcements from May 20th of this year, regarding File Upload security, and the linked docs say that the acceptedFileTypes() function "uses Laravel's mimetypes rule which does not validate the extension of the file, only its mime type, which could be manipulated." Is this the rule being referred to? https://laravel.com/docs/11.x/validation#rule-mimetypes And if so, it says the "file's contents will be read and the framework will attempt to guess the MIME type, which may be different from the client's provided MIME type." When it says it reads the file's contents doesn't that mean that it's not just looking at the mimetype provided by the client/browser? What's also a little confusing is that right underneath that, there is a mimes rule ( https://laravel.com/docs/11.x/validation#rule-mimes ), which kinda says the same thing...? The only difference I can tell is that one is comparing a list of mimtypes to a list of mimetypes while the latter is comparing a file extention to the mimetype, but in both cases, it sounds to me like they are actually reading the binary content of the file to get the actual mimetype of the file and not just some property that can be falsified. Am I misunderstanding what the filament or laravel docs are saying? Any clarification would be greatly appreciated.
Laravel - The PHP Framework For Web Artisans
Laravel is a PHP web application framework with expressive, elegant syntax. We’ve already laid the foundation — freeing you to create without sweating the small things.
1 Reply
KnightOfRohan
KnightOfRohanOP•6mo ago
I haven't had a chance to follow-up on this question yet but I'm guessing the way I've asked the question is very convoluted. Apologies. To restate my question a little more clearly, hopefully: Based on the #💫┊announcements from May 20th regarding File Upload security and the linked documentation, my understanding is that someone could upload a file with a falsified MIME type, and the acceptedFileTypes() method won't catch this, leading to potential security risks like PHP files being uploaded as other file types. I assume the falsified MIME type is a surface-level issue and not related to the actual content of the file, as certain hex code patterns carry file type information. However, if the acceptedFileTypes() method uses Laravel's mimetypes rule, which supposedly reads the file's contents to guess the MIME type, shouldn't it be able to catch falsified MIME types? Could someone clarify what I'm missing or where the gap in my understanding is regarding how the Validator checks the file's MIME type based on its contents and why this might still be a security concern? Thank you!
Want results from more Discord servers?
Add your server