F
Filament•2mo ago
KnightOfRohan

Question about File Upload Security announcement on May 20th regarding file names and mimtypes.

This is probably a dumb question cuz I'm really new to coding, but there is an #💫┊announcements from May 20th of this year, regarding File Upload security, and the linked docs say that the acceptedFileTypes() function "uses Laravel's mimetypes rule which does not validate the extension of the file, only its mime type, which could be manipulated." Is this the rule being referred to? https://laravel.com/docs/11.x/validation#rule-mimetypes And if so, it says the "file's contents will be read and the framework will attempt to guess the MIME type, which may be different from the client's provided MIME type." When it says it reads the file's contents doesn't that mean that it's not just looking at the mimetype provided by the client/browser? What's also a little confusing is that right underneath that, there is a mimes rule ( https://laravel.com/docs/11.x/validation#rule-mimes ), which kinda says the same thing...? The only difference I can tell is that one is comparing a list of mimtypes to a list of mimetypes while the latter is comparing a file extention to the mimetype, but in both cases, it sounds to me like they are actually reading the binary content of the file to get the actual mimetype of the file and not just some property that can be falsified. Am I misunderstanding what the filament or laravel docs are saying? Any clarification would be greatly appreciated.
Laravel - The PHP Framework For Web Artisans
Laravel is a PHP web application framework with expressive, elegant syntax. We’ve already laid the foundation — freeing you to create without sweating the small things.
File upload - Form Builder - Filament
1 Reply
KnightOfRohan
KnightOfRohan•5w ago
I haven't had a chance to follow-up on this question yet but I'm guessing the way I've asked the question is very convoluted. Apologies. To restate my question a little more clearly, hopefully: Based on the #💫┊announcements from May 20th regarding File Upload security and the linked documentation, my understanding is that someone could upload a file with a falsified MIME type, and the acceptedFileTypes() method won't catch this, leading to potential security risks like PHP files being uploaded as other file types. I assume the falsified MIME type is a surface-level issue and not related to the actual content of the file, as certain hex code patterns carry file type information. However, if the acceptedFileTypes() method uses Laravel's mimetypes rule, which supposedly reads the file's contents to guess the MIME type, shouldn't it be able to catch falsified MIME types? Could someone clarify what I'm missing or where the gap in my understanding is regarding how the Validator checks the file's MIME type based on its contents and why this might still be a security concern? Thank you!
Want results from more Discord servers?
Add your server
More Posts
How to Create a Livewire List Table with Filament's Default DesignI'm building a Livewire component to display a list/table to reduce loading times when dealing with Change loginIs there a way to change the login field? I would like to change the Email field to TelephoneRead only modeThere is any way to put the whole panel on read only mode? or a resource?Form with deeper relationshipHi everyone, Is it possible to have a form relationship using a deeper model relationship, such as:New Project Recommended Installation Steps/Order?What would be the recommended installation steps for a new project that will be using Filament (/admNumeric but can be blankI have a form that includes the following ``` Forms\Components\TextInput::make('company_number')