Certain remote URLs trigger \Transit\File::type() to return wrong $type

[mfn]

Sidenote: I'm using transit via deprecaed CakePHP Uploader Plugin on Linux.

Imagine an URL like: http://server/image.php?id=12312

\Transit\File::type() will perform the following steps:

• $type is first determined via file -b --mime ... and gets detected as image
• next, $ext = $file->ext() will return text/x-php
• they do not match in this check later: $type !== $extType
• $type will be forced to be the file extension type, basically ignoring the actual content type

This behaviour is problematic as serving an image via such an URLs is perfectly legit.

One approach could be to only use the extension if either the file -b --mime... and the finfo_file() logic do not work.

[milesj]

It's funny because I even have a comment about this: https://github.com/milesj/transit/blob/master/src/Transit/File.php#L528

I'm assuming you are using this via an import instead of an upload? It may be a better solution to customize the filename when uploading, instead of relying on the detection. https://github.com/milesj/transit/blob/master/src/Transit/Transit.php#L243

[mfn]

I'm assuming you are using this via an import instead of an upload?

I'll have to take a look how your CakePHP Uploader uses it 😀

But thanks for the heads up, I'll get back on that. We currently work this around by using a proxy (we already had) which luckily for us has an endpoint named /someprxy/?src=http..... In this case, the detection logic does not see a file extension and only passed back the actual content detection.