Rocket.Chat icon indicating copy to clipboard operation
Rocket.Chat copied to clipboard
verified publisher icon RocketChat

Accepted media type image allows files with .jpg extension to be uploaded even if contents are not an image

Open kendrickluong opened this issue 6 years ago • 6 comments

Description:

Accepted Media Types filter on file uploads set to image/* incorrectly accepts files that are not images but have .jpg extension

Steps to reproduce:

  1. Settings > File Upload > Accepted Media Types: images/*
  2. Upload an actual_image.jpg file goes through
  3. Upload random.cer file Media Type Not Accepted Application/pkix-cert
  4. Rename random.cer to random.jpg file goes through

Expected behavior:

random.jpg should not be uploaded

Server Setup Information:

  • Version of Rocket.Chat Server: 1.0.3
  • Operating System: RHEL 7.2 (reports as 4.15.0-1035-aws)
  • Deployment Method: docker
  • Number of Running Instances: 3
  • DB Replicaset Oplog:
  • NodeJS Version: 8.11.4
  • MongoDB Version: 3.6.12

kendrickluong avatar Jul 01 '19 06:07 kendrickluong

I think the problem is that automatic detection of file types is something less than reliable and can still be fooled. It isn't Rocketchats fault - it's an industry wide issue.

eg https://stackoverflow.com/questions/24662959/use-file-content-to-determine-mime-type-with-node-js

I'd suggest this can closed and added as a NFR here:

https://github.com/RocketChat/feature-requests

but I think it is unlikely to get fixed in hurry.

reetp avatar Jul 01 '19 10:07 reetp

I managed to work around this by installing incron and having a trigger whenever a file is put into the Rocket uploads directory to look for "image" in the output of the command file --mime-type and deleting if false.

Jacko50 avatar Jul 15 '19 17:07 Jacko50

I managed to work around this by installing incron and having a trigger whenever a file is put into the Rocket uploads directory to look for "image" in the output of the command file --mime-type and deleting if false.

What's the behaviour of rocketchat if incron delete the file? Does the send/receiver both get broken links?

kendrickluong avatar Jul 29 '19 23:07 kendrickluong

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 10 '20 06:10 github-actions[bot]

any proggress?

4li-ra avatar Jan 12 '21 08:01 4li-ra

any progress? did this issue got solved?

anoniz avatar Aug 28 '24 10:08 anoniz

any progress? did this issue got solved?

This is a way old issue but I don't think there is an easy solution short of some sort of massive processing either on the client or on the server.

Please note there are a plethora of issues related to file uploads and file types.

This has some interesting comments on mime type detection for instance:

https://github.com/RocketChat/Rocket.Chat/issues/31906

reetp avatar Aug 28 '24 17:08 reetp