2

I'm interested in a comparison of the two with regards to what's more secure when uploading files on a website (that I'm a programmer for).

Mozilla's page about MIME Types states that "On the Web, only the MIME type is relevant and should be set carefully.", implying (to me) that using Magic Numbers is either not possible, or is more easily spoofed.

schroeder
  • 123,438
  • 55
  • 284
  • 319
nsaigal
  • 21
  • 1
  • 3
  • 2
    Could you clarify? What do you mean by "better when uploading files"? And why would [magic numbers](https://en.wikipedia.org/wiki/File_format#Magic_number) (I suppose this is what you mean by *magic bits*) be "impossible" or in which context do you fear they could be "spoofed"? – Arminius Aug 22 '17 at 22:28
  • Clarified. Better meant more secure. About the "impossibleness" of using magic numbers, that was kind of my question...the link states that only MIME types are relevant. – nsaigal Aug 23 '17 at 12:51

3 Answers3

3

If you are talking about file uploads to a server use various methods to check the filetype. The overhead is tiny. Magic numbers give you a more robust way to verify the filetype but can still be spoofed.

Never rely on file extension, this is the most trivial part to spoof.

If it were me, regardless of the risk to the system I would always:

  1. verify file extension (the final extension and anything after a .) after sanitising the entire name
  2. verify file size (within defined range)
  3. Verify mime type
  4. check magic numbers

All the above checks use a whitelist for verification.

I would also make sure the uploaded file gets moved to a secure directory (without exec permissions) and gets assigned a random filename.

TrickyDupes
  • 2,809
  • 1
  • 13
  • 27
  • An interesting example of spoofing magic numbers can be found in PoC||GTFO articles on polyglots. – forest May 21 '18 at 01:18
0

Yes, Mime types are the recommended method. Since that's what all User Agents (browsers, etc) do, you can depend on it for default behavior.

By "magic bits" if you mean parsing the file header structures - yes, you could do that as an additional step if your risk is high i.e., your threat model involves a step where attackers upload a malicious file and that leads to some weakness. It clearly involves additional work on your part (consuming CPU cycles, thus increasing cost) that you should do only when the benefit is "worth it".

There is also the possibility of using file name extensions (e.g., .pdf for PDF format, .jpg / .jpeg for JPEG format, etc.) to detect file types (used quite often) - but again, this is slightly less reliable (my opinion, not proven fact) than using mime types.

Sas3
  • 2,638
  • 9
  • 20
0

MIME is relevant for user agents (browsers) when they download files. Magic numbers are relevant for the server when a user uploads a file. You cannot compare them as they have different usages. You can use the magic number (and file extensions) to set the mime type.

Security has nothing to do with it. Moreover, both file extension and magic number can be spoofed (it's harder to spoof a magic number). For images, you can re-encode (server side) them to remove any potential exploit that could be embedded in them. For other files, there are no good solutions in my knowledge. You should not trust them.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42