1

I am working on a video pipeline for my company and using Laravel 7 for the backend. When uploading files, something I've noticed is that the resulting file extension is not always what it was originally. We accept most common file types and once uploaded, we store them in a temp directory before processing.

What I'm noticing is that Laravel will frequently change the file extension of webm files (if uploading a video file created via javascript's MediaRecorder api) or mov files to mkv. This doesn't seem to cause any problems with our transcoding or publishing process, but I'm wondering if it could be a problem in the future.

Is there any reason I shouldn't trust the provided mime type for a file? I get that someone could potentially change the extension on an executable to something that will upload and prevent it from displaying properly or potentially even crashing the browser. However, I don't really understand the practical reason for changing the extension if it doesn't match. Is there more I should be doing on top of this is the detected extension doesn't match the original filename? It feels like I'm missing a few pieces of the whole picture here and I'd like to fix that.

Eric
  • 2,201
  • 5
  • 29
  • 35
  • 5
    Because if I upload a file called "yay.mp4" but it's actually a php file, AND I know a sneaky way to exploit your version of laravel to run a file in your upload directory, now you're part of a botnet. Welcome. **always** validate files on their content (e.g. magic number in the correct byte position, content that is as long as the header bytes says it should be, etc), because mime-types and file extensions are just claims: the thing that did the uploading THINKS those are the mime-type/extension, but they didn't verify that (because that's not their job). You should (because it is =) – Mike 'Pomax' Kamermans Oct 15 '20 at 22:03
  • Okay, so this is a really good point. Thanks for the information. So now I suppose I need to find out more about what laravel is doing when I try to validate these things to know if I need to do more. I do know to validate the mime types and I've run through a lot of the configuration to make sure we're getting these file extensions right, but I've no idea to what extent laravel is validating the content of the files against the mime types. – Eric Oct 15 '20 at 22:13
  • For those searching through google, I found this answer really helpful in explaining what you could potentially expect to happen. https://stackoverflow.com/questions/11851016/how-do-i-validate-that-an-uploaded-file-is-a-video @Mike'Pomax'Kamermans if you would like to submit your reply as an answer, I would be glad to accept it. – Eric Oct 15 '20 at 22:57
  • note that that's only for videos, so usually you want more than that (e.g. common image formats like png/gif/jpg, video formats mov/mp4, document format pdf, and equally importantly, archive formats zip/tar.gz/rar/7z/etc) – Mike 'Pomax' Kamermans Oct 15 '20 at 23:12

2 Answers2

2

Because if I upload a file called "yay.mp4" but it's actually a php file, and I know a sneaky way to exploit your version of laravel to run a file in your upload directory, now you're part of a botnet. Welcome.

Always validate files on their content (e.g. magic number in the correct byte position, content that is as long as the header bytes says it should be, etc), because mime-types and file extensions are just claims: the thing that did the uploading thinks those are the mime-type/extension, but they didn't verify that (because that's not their job). You, however, definitely should (because it is =)

Mike 'Pomax' Kamermans
  • 49,297
  • 16
  • 112
  • 153
1

You should never trust in mime. If I open an image with a text editor and put a PHP code to the end, the image will be still an image by the mime, but it could run if I can upload it as a .php file.

Extension is only for filtering out the common ones etc.

You need to use both extension and mime checking to ensure everything is fine.

CleverSkull
  • 479
  • 3
  • 10