6

If people's computers can decide what to do with files based on their extensions (.pdf, .mp3, .docx, .dotx, etc.), why do web servers and email apps need to also specify a MIME type?

I can see this being useful if you want to deliver a file in a way that differs from the default (e.g. show a .py or .html file as plain text) or if the file extension is unregistered on the client computer, but in most cases, if I'm creating a new file format (say .foobaz) and want to enable people to share these files on the web and over email, shouldn't it be sufficient to rely on the client recognizing the file extension?

RexE
  • 369
  • 1
  • 5
  • 11

5 Answers5

4

Mime type clearly specifies the intended use of the file. File extensions only hint at the content. Both can be wrong. DOC has been used by a number of text editors with a variety of internal file formats.

Faking extensions is used extensively to mislead people as the the file type. This can be used to malware of various kinds. It can also lead to security bugs. If myfile.txt would be validated for security as a text file, and later by content inspection is run as an executable, you may end up with an infected machine.

Unix uses an executable bit to indicate which file can be run. Scripts can start with a bang path indicating which interpreter should execute them. The file command can be used to fairly reliably determine the file type with or without an extension.

Using extensions to identify which file use can lead to ambiguity. If I have myfile.exe, myfile.com, myfile.bat, and myfile.cmd, which runs if I run the command myfile.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Practically, however, files stored in Unix systems are not associated with a Mime type. So we have to rely on things like `file` to infer the file type. This generally uses a "magic number" (or similar small test) to determine the type of the file, which in many cases seems indistinguishable from a human-readable extension. – jwadsack Oct 07 '14 at 17:22
3

You are looking at it the wrong way round.

A file needs a mimetype so a client knows how to handle the file.

Your question should the other way round too:

Why do we need file extensions if we can identify file types by the mime type?

To which the answer is probably to make is easier for humans to identify what type a file is by looking at the name. There may be other reasons on Windows.

Richard Holloway
  • 7,256
  • 2
  • 24
  • 30
2

That only happens in the windows world in the unix world files do not have to have an extension they are identified by mime type.

topdog
  • 3,490
  • 16
  • 13
0

As small and bespoke (custom designed) applications tend to be rather liberal about their file extensions. This can lead to file extensions which are used to represent multiple types of files.

As there is no guarantee that a file extension corresponds with a given type of file, the receiver might not be able to identify the type of file and would not be able to obtain the correct program to open it.

In addition to MIME types, there is also other systems to identify files, for example, Magic Numbers. Which means that file extensions are not needed. File extensions can also be renamed by users who cannot then open the files, which means they are likely to contact support.

-1

Because users are stupid and rename files all the time. You can't trust a filename to be named correctly. I'm still amazed at the number of people who rename someFile.xltm to someFile.xls then wonder why their spreadsheet template does not work. MS use of file names to determine content type is a lazy weakness and a security hazard.

  • But users do not manage servers. It is also not a security hazard. While changing the file extension may break it, it will not change the security, access to the file, or file contents. – Cory Knutson Oct 09 '17 at 15:29