I've had this question for a while: how exactly is the mime type of a file determined? I believe this is done by checking if specific bytes of the file contain any of the known magic numbers / file signatures, right?
If so, this poses another question, lets say I upload a bash script with a fake GIF file signature to a website that only allows images to be uploaded, what is going to happen? Either:
image/gif is wrongly returned as the mimetype and the upload is allowed to continueI don't have an HEX editor installed ATM, and I don't like to form security-related conclusions from tests as I might miss (or misinterpret) something, so my question is: which one of the above options is correct?
Also, are there any other best practices (besides checking the mimetype) to assure that any given file is in fact what it seems / needs (or is allowed) to be? Thanks in advance.
PS: Just to be clear, I'm not asking about the type index in the $_FILES superglobal.
My understanding is the MIME determination routines in the file upload code are extremely crude and that the MIME type in the $_FILES array simply can't be trusted. It's been my experience that it's easily foxed.
You're better off using the Fileinfo library, which provides more robust file type detection.