Let's say I have a file named foo.sh.jpg or foo.exe.jpg. FastAPI automatically assigns a content-type: image/jpeg in both cases so if you check the MIME type you technically have an image. I wanted to know if by also having a .sh extension it could go undetected (if you only check for MIME type) as a .sh and run itself at some point.
Asked
Active
Viewed 52 times
0
1 Answers
1
Is it bad?
Bad is subjective. MIME type is mostly just a method of telling the browser how to deal with a specific piece of data. image/jpeg would be treated as binary, and then an attempt would be made to display said image rather than download. I am sure this could be over-written ... but given default behavior it would just show as a broken image file in the page.
In terms of file extension, Linux pretty much ignores file extensions and thus foobar.sh.exe.whocares.jpg.png wouldnt really matter. Also, chances are the file itself would not be flagged as executable. So even if a user clicked it ... not much would happen.
In terms of file extensions for windows foo.sh.exe.is.ignored.only.last.part.is.valid.jpg. Windows would treat it as a jpg file and when clicked would attempt to open it with whatever is set as the default picture viewer. If its not a valid image file, that program would most likely give an error of some type.
TLDR; Its bad in the sense that its confusing and would cause people to scratch their heads ... but ultimately wouldnt do anything useful or destructive.
CaffeineAddiction
- 7,517
- 2
- 20
- 40
-
Thanks! I wanted to know if I had to check for potentially harmful extensions as well. MIME type seems to be enough. – PythonSmellsLikeCheese Jun 29 '22 at 18:49