Actions
Feature #43484
open
Detect attachment content type from file contents instead of trusting client-provided values
Resolution:
Description
Redmine currently stores the content type of uploaded files based on the value provided by the client, such as web browsers and API clients. This approach is not reliable and can lead to incorrect or misleading MIME types, especially when the client declares a spoofed or incorrect type.
According to the OWASP File Upload Cheat Sheet, the Content-Type header for uploaded files cannot be trusted, because it is easy to spoof.
The attached patch changes the behavior so that Redmine no longer trusts the client-provided content type. Instead, it detects the content type by inspecting the actual file contents using Marcel.
Files
Related issues
Updated by Go MAEDA 4 months ago
- Related to Feature #43473: Reject file uploads when actual MIME type does not match the file extension added
Updated by Go MAEDA 20 days ago
- File 0001-Improve-Redmine-MockFile-to-better-mimic-File-behavi.patch 0001-Improve-Redmine-MockFile-to-better-mimic-File-behavi.patch added
- File 0002-Stop-using-legacy-image-x-ms-bmp-MIME-type-for-BMP-f.patch 0002-Stop-using-legacy-image-x-ms-bmp-MIME-type-for-BMP-f.patch added
- File 0003-Stop-using-legacy-application-x-pkcs7-signature-MIME.patch 0003-Stop-using-legacy-application-x-pkcs7-signature-MIME.patch added
- File 0004-Detect-attachment-content-type-from-file-contents-in.patch 0004-Detect-attachment-content-type-from-file-contents-in.patch added
- File deleted (
0001-Improve-Redmine-MockFile-to-better-mimic-File-behavi.patch) - Target version set to Candidate for next major release
- File deleted (
0002-Stop-using-legacy-image-x-ms-bmp-MIME-type-for-BMP-f.patch) - File deleted (
0003-Stop-using-legacy-application-x-pkcs7-signature-MIME.patch) - File deleted (
0004-Detect-attachment-content-type-from-file-contents-in.patch)
I have updated the patches. Rebased for the current trunk and made minor changes.
Actions