dbloecher,

Hello,

 

I had a similar problem with .doc and .pdf files. The editor would not upload them, claiming a mime type mismatch, no matter what I did and where I allowed them (both in code and configs).

 

This is the solution I worked out for myself. I hope it helps:

 

It has to do with the veracity of the mime type coming from the $_FILES array. In Dialogs/filePost.php the file type is checked by its file extension and provided mime type, matched against the expected mime type for that extension (defined in Dialogs/Include_Mimetype.php). However, it happens so that the $_FILES["file"]["type"] info cannot be trusted to be accurate. In my case the type info for .doc and .pdf files (as well as any other binary file for that matter) came as application/octet-stream instead of application/msword or application/pdf respectively.

I found two choices of working around the problem with various degree of complexity and security.

Choice one, the more secure and more complex way, would be to replace the mime type info coming from the $_FILES["file"]["type"] field with more relevant one, such as the finfo class/methods in PHP (available from 5.3.0 on or as PECL extension before that). This is a more secure approach than the original one, since the $_FILES["file"]["type"] can be altered by the user, while the php finfo method of defining mime type actually opens the file and checks the first 8 bytes against defined patterns.

Choice two, the easier but more unsafe, would be to modify out the mime checks section of the Dialogs/filePost.php file this way:

       if (in_array(strtolower(GetExtension($filename)),$Filter_Array))
    {
        $Is_valid=true;
        /*
        if(strnatcasecmp(trim($contentType),trim($filemimetype))==0)         
          $Is_valid=true;
        else
        {
          if(strnatcasecmp(trim($contentType),trim($filemimetype2))==0)         
            $Is_valid=true;
        }
          */
    }

This way the file extension check remains but the mime type check is skipped. This is not a very insecure way, at least not considerably more insecure than the original, since the $_FILES["file"]["type"] info is not a trusted source of information anyway, as previously said.

I hope this helps someone :)


Mihail Irintchev
Head of Software Development
SiteGround.com