Project

General

Profile

Actions
Copy link

Feature #43484

open

Detect attachment content type from file contents instead of trusting client-provided values

Added by Go MAEDA 3 days ago. Updated 2 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Attachments
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

Redmine currently stores the content type of uploaded files based on the value provided by the client, such as web browsers and API clients. This approach is not reliable and can lead to incorrect or misleading MIME types, especially when the client declares a spoofed or incorrect type.

According to the OWASP File Upload Cheat Sheet, the Content-Type header for uploaded files cannot be trusted, because it is easy to spoof.

The attached patch changes the behavior so that Redmine no longer trusts the client-provided content type. Instead, it detects the content type by inspecting the actual file contents using Marcel.

Files

Download all files
0001-Improve-Redmine-MockFile-to-better-mimic-File-behavi.patch (1.17 KB) 0001-Improve-Redmine-MockFile-to-better-mimic-File-behavi.patch Go MAEDA, 2025-11-16 10:38
0002-Stop-using-legacy-image-x-ms-bmp-MIME-type-for-BMP-f.patch (1.29 KB) 0002-Stop-using-legacy-image-x-ms-bmp-MIME-type-for-BMP-f.patch Go MAEDA, 2025-11-16 10:38
0003-Stop-using-legacy-application-x-pkcs7-signature-MIME.patch (1.92 KB) 0003-Stop-using-legacy-application-x-pkcs7-signature-MIME.patch Go MAEDA, 2025-11-16 10:38
0004-Detect-attachment-content-type-from-file-contents-in.patch (6.47 KB) 0004-Detect-attachment-content-type-from-file-contents-in.patch Go MAEDA, 2025-11-16 15:48

Related issues

Related to Redmine - Feature #43473: Reject file uploads when actual MIME type does not match the file extensionNew

Actions
Actions
Copy link

Also available in: Atom PDF