WS_Code
FileUpload BUG
https://youtu.be/GGwATl3ZSQY
https://youtu.be/XpHHJ2bQHNY
here's the reasons to think that the browser determines the mime type by the file extension
Laravel and
file -b --mime will define it as text/plain79 replies
FileUpload BUG
anyway laravel and browser define mime type differently
https://youtu.be/PiQvvIbSUeI
79 replies
FileUpload BUG
I understand that these are different things, but still the browser and laravel define it differently
And also the system utility determines the type in the same as laravel
It is for this reason that acceptedFileTypes must contain both text/javascript and text/plain
Because the browser and filepond will detect the file as text/javascript, and laravel as text/plain
Perhaps I made a mistake in my stream of consciousness, somewhere equating them
79 replies
FileUpload BUG
The same is true for a large mass of other file types, I wrote about them above, and over the past two days I have also seen them in many discussions, there were .crt, .csv, .pen, .p12, .js and many other files
And such files are defined not only in the text/plain direction, but also binary ones, and media files sometimes do not match the mimetype on the frontend and backend
79 replies
FileUpload BUG
In this case, I will write the following code:
At first, the browser will allow you to select only files with the .js extension
Then filepond will check if the mimetype of the file specified in its extension matches the passed ['text/javascript']
Next, the file will be uploaded to the temporary livewire directory with the extension .txt
Then, when submitting the form, the file will be double-checked by mimetype by Laravel itself using ['text/plain'] and make sure once again that it is a text file
Then it will be renamed, in accordance with the callback I passed to getUploadedFileNameForStorageUsing
And will be saved with its real extension
79 replies
FileUpload BUG
Accordingly, for different logics, it should be possible to differentiate the rules
I believe that by default everything should be as is, and from acceptedFileTypes the rules should be passed to laravel and filepond "as is", without changes
But the acceptedBrowserFileTypes method must be added, which will overwrite the rules passed to filepond
79 replies
FileUpload BUG
When the loading is complete, the submit button for the form becomes available.
When you click it, laravel will check the mimetype according to the specified rule
Then
file -b --mime index.js will output text/plain, but it will not match ['text/javascript'], and will display an error from the backend, under the FileUpload field widget
This is where the inconsistency lies not in libraries or plugins, but in the logic of the browser and the operating system.
And it is filementphp that transmits the specified rules to filepond and laravel, which use them during validation79 replies
FileUpload BUG
But at the same time, if only
['text/javascript'] is specified in the validation, then the browser will allow you to select a js file, and it will pass content validation, as a result of which the download to the temporary livewire directory begins.
But already on the livewire side the file will be saved with an extension corresponding to its mimetype, which is determined by laravel
The reason for this is described here: https://securinglaravel.com/laravel-security-file-upload-vulnerability/#1-don’t-trust-user-input
The type is defined as text/plain
I assume with 85% confidence that the check occurs using the "file" system utility, using the command file -b --mime index.js
Which produces text/plain
But validation does not occur at this stage, since the file is loaded into a private temporary storage, in which, under normal conditions, it cannot be executed by anyone79 replies
FileUpload BUG
I downloaded the filepond source code, found an implementation for checking the file type based on its contents, and made a small testbed on playcode.io
https://playcode.io/1905242
Using FileReader, it reads the contents of the file in DataURI format, which at the beginning contains the mimetype that was obtained based on the contents of the file
And at this stage, the received type is compared with the passed list for validation, and the resulting text/csv is missing in
['text/javascript', 'text/plain'], as a result an error occurs even before loading into the temporary livewire directory begins79 replies
FileUpload BUG
I still don't think this is a filepond problem
The documentation says that it checks the file type in two steps: by setting the basic html accept attribute on the html5 input element
https://pqina.nl/filepond/docs/api/plugins/file-validate-type/
This way the available files are filtered in the file manager
For example, with
['text/javascript'] - only files with the .js extension will be available
And with ['text/javascript', 'text/plain'] - csv files will also be available, since the browser also considers them files of the text/plain type
Further it is written in the documentation that if the browser does not correctly determine the file type, it additionally double-checks the type of the selected file based on its contents
This explains why with ['text/javascript', 'text/plain'] and a csv file selected, an error appears regarding the file type even before it is loaded79 replies
