Feature #43473
open
Reject file uploads when actual MIME type does not match the file extension
0%
Description
Redmine currently provides settings for allowed and disallowed file extensions. These settings validate uploaded files based on their file extension. However, a malicious user can upload a file with a misleading extension (e.g., uploading HTML or script content disguised as “.png”). This may pose security risks, especially when such files are served to users.
Redmine already uses Marcel to detect the actual MIME type for image thumbnail generation. This MIME detection can also be used at upload time.
Proposal:
Add a validation step during file upload that detects the actual MIME type from the file content using Marcel and rejects the upload if the detected MIME type does not match the expected MIME type for the file extension. This validation should be configurable on the settings page.
Related issues
Updated by Go MAEDA about 7 hours ago
- Related to Defect #31968: MIME Content Type is not properly handled while attaching the files added