Project

General

Profile

Actions
Copy link

Feature #43473

open

Reject file uploads when actual MIME type does not match the file extension

Added by Go MAEDA about 5 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Attachments
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

Redmine currently provides settings for allowed and disallowed file extensions. These settings validate uploaded files based on their file extension. However, a malicious user can upload a file with a misleading extension (e.g., uploading HTML or script content disguised as “.png”). This may pose security risks, especially when such files are served to users.

Redmine already uses Marcel to detect the actual MIME type for image thumbnail generation. This MIME detection can also be used at upload time.

Proposal:
Add a validation step during file upload that detects the actual MIME type from the file content using Marcel and rejects the upload if the detected MIME type does not match the expected MIME type for the file extension. This validation should be configurable on the settings page.

Related issues

Related to Redmine - Defect #31968: MIME Content Type is not properly handled while attaching the filesResolved

Actions
Actions
Copy link
 #1

Updated by Go MAEDA about 5 hours ago

  • Related to Defect #31968: MIME Content Type is not properly handled while attaching the files added
Actions
Copy link

Also available in: Atom PDF