application/octet-stream mime type issue with codeigniter

1
votes

I have a strange problem with codeigniter upload class. I use uploadify (http://www.uploadify.com) to add ajax support on file uploading. When the file is sent from uploadify to codeigniter I always get a message that the filetype isn't allowed. I made some research and found out that the cause of the problem is flash, that is used by uploadify. For some reason it always sends files with application/octet-stream mime type. I tried to upload jpg, png, gif file types, but codeigniter always shows that the type is application/octet-stream.

Does anyone know how should I catch the real file type uploaded with flash in codeigneter?

3
phpcodeigniteruploadify

3 Answers

1
votes

The only solution I've found for this is to add:

'application/octet-stream'

into the application/config/mimes.php file for the various file types that you require. Not particularly helpful but it's the only effective method found.

0
votes

The issue here is that CodeIgniter seems to have a slight bug with its uploader and I agree with @bearfriend.

The is_allowed_filetype() function of the Upload Library allows a parameter of $ignore_mime but this parameter is not supplied within the do_upload function. So my solution is turn mime detection off and (dare I say it) amend the core Upload class so that the file upload check looks like this:

if ( ! $this->is_allowed_filetype($this->detect_mime ? false : true))

** The inverse of your detect_mime parameter is required

There is (unfortunately) another security issue here however. The user could rename virus.exe to allowed.jpg and the file would still be allowed. How bad that is will depend on file permissions and what you're using the files for along with how the files will be used. I for example tried the idea here (https://www.bleepingcomputer.com/forums/t/573945/this-looks-new-and-slipped-by-the-gmail-filters-this-morning/#entry3687679) and it didn't load because it was not a valid image. Different OS may be different.

The other issue with my solution is should you decide to upgrade CI these changes will be lost (although maybe improved by a later release).

Oh and also CI doesn't then ever set $this->file_type with ignore_mime true. The solution if you require the file_type in the output after the upload would be to use your own variable name instead (as opposed to sticking with ignore_mime).

0
votes

I had a similar issue and the solution I found is to create a MY_Upload library and override the function that sets the file_type (_file_mime_type)

class MY_Upload extends CI_Upload {

   /**
    * Override application/octet-stream on file_type
    *
    * @param    array   $file
    * @return   void
    */
   protected function _file_mime_type($file) {
       parent::_file_mime_type($file);

       if ($this->file_type == 'application/octet-stream' && !empty($file['type'])) {
           $this->file_type = $file['type'];
       }

   }

}