J3 Issue No Code Attached Yet
avatar jen4web
jen4web
24 May 2017

Steps to reproduce the issue

Go to: Content / Media

Click green Upload button, upload PDF file

Expected result

PDF file uploads without issue

Actual result

Error
Invalid mime type detected.

System information (as much as possible)

Site hosted at Rochen

Database Version 10.1.23-MariaDB
PHP Version 7.0.19
Web Server LiteSpeed
WebServer to PHP Interface litespeed
Joomla! Version Joomla! 3.7.2 Stable [ Amani ] 22-May-2017 09:46 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT

I have disabled "check mime types" in the Media Options (click Options button from Media screen).

Legal MIME types: image/jpeg,image/gif,image/png,image/bmp,application/x-shockwave-flash,application/msword,application/excel,application/pdf,application/powerpoint,text/plain,application/x-zip

Legal extensions: bmp,csv,doc,gif,ico,jpg,jpeg,odg,odp,ods,odt,pdf,png,ppt,swf,txt,xcf,xls,BMP,CSV,DOC,GIF,ICO,JPG,JPEG,ODG,ODP,ODS,ODT,PDF,PNG,PPT,SWF,TXT,XCF,XLS

Additional comments

I have been uploading files through the Media Manager. JPG and PNG work, while PDF does not.

I reported this to Rochen, who confirmed that finfo_open and mime_content_type were installed, available, and working correctly.

Their response was this: "Well there seems to be compatibility issue with mime_content_type on Joomla version and PHP v7.0, If I switch the PHP version to v5.6 it is working fine.

It appears the patch provided isn't working on 3.7.1 and 3.7.2, due to mime_content_type. Thanks!"

Previously I was running PHP 7.0.19.

Votes

# of Users Experiencing Issue
2/2
Average Importance Score
4.00

avatar jen4web jen4web - open - 24 May 2017
avatar joomla-cms-bot joomla-cms-bot - change - 24 May 2017
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 24 May 2017
avatar franz-wohlkoenig franz-wohlkoenig - change - 24 May 2017
Category com_media
avatar franz-wohlkoenig
franz-wohlkoenig - comment - 24 May 2017

Can't confirm, test using PHP 7.0.15 and 7.1.1.

System information

3.7.3-dev
Multilanguage Site
macOS Sierra, 10.12.5
Firefox 53 (64-bit)

MAMP 4.1.1

  • MySQLi 5.6.35
avatar franz-wohlkoenig franz-wohlkoenig - change - 24 May 2017
Status New Discussion
avatar C-Lodder
C-Lodder - comment - 24 May 2017

I cannot replicate this at all.

  • Joomla 3.7.3-dev
  • Wampserver
  • PHP 7.0.10
avatar Quy
Quy - comment - 24 May 2017

Cannot replicate:

  • PHP 7.0.19
  • Apache/Linux
  • Joomla! 3.7.2 Stable
avatar esedic
esedic - comment - 24 May 2017

I also couldn't replicate this issue, pdf uploaded without errors.
Joomla 3.7.2 with PHP 7.1.1

avatar zero-24 zero-24 - assigned - 24 May 17
avatar stevlam
stevlam - comment - 24 May 2017

PHP 7.0.18
Joomla! 3.7.2 Stable
Linux

we're having this issue - "fileinfo.so" php extension was disabled in server.
enabled fileinfo php extension and all good.

maybe a more informative error message would help debuging issue adding something like "Could not detect the file mime type. Please check with your host if you have fileinfo PHP extension enabled.".

anyway with php fileinfo extension enabled cannot replicate the issue.

avatar jen4web
jen4web - comment - 24 May 2017

My fileinfo extension is enabled.

avatar JazParkyn
JazParkyn - comment - 24 May 2017

Confirmed issue on Rochen server:

PHP Built On Linux impress51.directrouter.com 3.10.0-427.36.1.lve1.4.43.el7.x86_64 #1 SMP Wed Mar 29 16:13:25 EDT 2017 x86_64
Database Version 10.1.23-MariaDB
Database Collation utf8_general_ci
Database Connection Collation utf8mb4_general_ci
PHP Version 7.0.18
Web Server Apache
WebServer to PHP Interface cgi-fcgi
Joomla! Version Joomla! 3.7.2 Stable [ Amani ] 22-May-2017 09:46 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0

avatar Quy
Quy - comment - 24 May 2017

I have disabled "check mime types" in the Media Options (click Options button from Media screen).

@zero-24 Since Check MIME Types is disabled, Invalid mime type detected. shouldn't be checked/displayed. Right???

avatar jen4web
jen4web - comment - 24 May 2017

Update from Rochen --

After telling me that fileinfo and mime_content_type were enabled, they were able to get the PDF upload working under PHP 5.6. (In the control panel, go to PHP version and switch it.)

However, a second support person has come back to me after that change was made. He switched PHP 5.6 back to PHP 7.0. The PDF upload now works.

He says "I suppose it's possible that a needed PHP extension (like fileinfo) hadn't been selected previously, but the new defaults in the selector resolved the problem."

So, suggestion for other Rochen people with this issue:

a. log into cPanel
b. Choose "select PHP version" under "software" heading
c. See if fileinfo is checked.

If it IS checked, and you can't upload PDFs, then try:
a. Switch the version to 5.6 with the dropdown and apply the setting
b. Now switch back to PHP 7.0. Test to see if you can upload PDFs now.

My guess is that "fileinfo" is showing as checked when it's not really set.

avatar jen4web
jen4web - comment - 24 May 2017

Quy -- yes, that was my expectation for turning off the MIME type check. However, it had no effect on my ability/inability to upload a PDF.

Fix (???) is listed in the post before this one.

avatar Quy
Quy - comment - 24 May 2017

@jen4web My expectation too. The code has to be reworked to first check that Check MIME Types is enabled and not after the fact.

avatar zero-24
zero-24 - comment - 24 May 2017

@jen4web what error do you get when mime checking is disabled? As this should never be a option you should set.

If you try to upload a file on a server where we can not check or detect the mime type we don't allow uploading it.

The Check MIME Types check is about checking the actual mime type against the allowed mime type. If no mime type is detected this is not taken into account and upload is blocked.

avatar jen4web
jen4web - comment - 24 May 2017

My issue is resolved at this point. However, when it was broken, I tried uploading the PDF with mime checking enabled and disabled. Error message was the same:

Error
Invalid mime type detected.

avatar zero-24
zero-24 - comment - 24 May 2017

Sure we can improve that message. But this means "We can not detect any mime type for that file so we don't allow uploading it"

avatar Quy
Quy - comment - 24 May 2017

Here is the description for Check MIME Types:

Use MIME Magic or Fileinfo to attempt to verify files. Try disabling this if you get invalid mime type errors.

getMimeType() should only be executed if Check MIME Types is enabled.

avatar zero-24
zero-24 - comment - 24 May 2017

invalid mime type errors.

The problem is that you do not get "invalid mime type error" (i have already sayed that the message needs to be inproved) you get the "mime type detection is not working on your system" error. Which IMO should be fixed on server side and not just ignored by the CMS. As this is a server / configuration error and not a CMS error ;).

We maybe need a suggestion for a better error message in that case.

avatar zero-24
zero-24 - comment - 24 May 2017

Please take a look here: #16246 for a extended message.

avatar gwsdesk
gwsdesk - comment - 24 May 2017

I am sorry but I cannot replicate this on our servers (PHP 7.1.14). Neither in default media manager nor in /TinyMCEJCE. I can upload pdf's either from frontend or admin without problems and if pdf's disabled (in media options) I do get the proper message (extension not supported)

However: The pdf's show in the file system with FTP (after upload in the media manager but they do not show after upload in the media manager itself in the administrator (they are uploaded as stated since they show in the file manager with ftp) That only happens when uploaded in this case with Tiny/JCE but they show when uploaded with/in the admin panel in the media manager itself (!)

so by using the media manager upload they show but when upload with any editor they don't show in the media manager in admin backend despite being listed in the file system (FTP)

avatar zero-24
zero-24 - comment - 24 May 2017

@gwsdesk

I am sorry but I cannot replicate this on our servers (PHP 7.1.14).

Sure the most of us can't as it looks like a server / hosting issue.

so by using the media manager upload they show but when upload with any editor they don't show in the media manager in admin backend despite being listed in the file system (FTP)

Please double check that. For the frontend image button this is expected (only images) and this is a longstanding behavior so nothing changed in 3.7.1/2

In the backend it is working fine for me:
image

avatar brianteeman
brianteeman - comment - 24 May 2017

For reference I have notified Rochen of this issue and they are investigating

avatar mbabker
mbabker - comment - 24 May 2017

In general, things are working fine as long as the server is correctly configured. The issue we are running into it seems is that there are hosting environments (such as Rochen's) which are disabling features that are by default enabled in the baseline PHP distribution. So, we need to improve our handling a bit; though fileinfo is enabled by default since PHP 5.3.0 (source - https://secure.php.net/manual/en/fileinfo.installation.php), we can't rely on its presence so we need to get a little defensive in our coding. It's not much different than how we had to have some defensive coding around the use of parse_ini_file() and parse_ini_string().

avatar zero-24
zero-24 - comment - 24 May 2017

So, we need to improve our handling a bit

we can't rely on its presence so we need to get a little defensive in our coding.

Any suggestions?

avatar gwsdesk
gwsdesk - comment - 24 May 2017

@zero-24 I do disagree with you on upload pdf. Please read what I wrote. I can upload with JCE for instance and it is successful. However the pdf won't show in the media manager but is in the file system.... See images
pdf_upload_ftp
pdf_upload1

avatar mbabker
mbabker - comment - 24 May 2017

That modal is hardcoded to only display images, even if the upload was successful it will never display PDF files.

avatar brianteeman
brianteeman - comment - 24 May 2017

and that is NOT a new thing - it has always been that way

avatar gwsdesk
gwsdesk - comment - 24 May 2017

I get you but why not? If mime-types are supported they should show?

avatar brianteeman
brianteeman - comment - 24 May 2017

read what michael wrote!!!

avatar gwsdesk
gwsdesk - comment - 24 May 2017

I did but I asked a question on that is that wrong?

avatar zero-24
zero-24 - comment - 24 May 2017

I did but I asked a question on that is that wrong?

THis is a complete different issue and a long standing one too ;) PLease open a new issue for that.

Btw that button is told to be "image" please look at your screenshot ther is also the mention that it is only images. (PDF != image :P)

avatar mbabker
mbabker - comment - 24 May 2017

I get you but why not? If mime-types are supported they should show?

That specific modal and the field it's attached to have always been hardcoded to images only (don't ask why, a decision made long ago is all I know and I had to essentially build a fork of com_media to work with non-image files with a similar user interface). So that view is different than the default media manager view which should show everything in the images directory.

As for uploading through JCE, if it's not going through our library class that's running this check, that would explain why you can upload through the editor but not through com_media.

avatar gwsdesk
gwsdesk - comment - 24 May 2017

Thanks but I can also upload through com_media and that works also but it won't list in the media manager despite being present in the file system (but I do understand the hard-coded thing)

avatar gwsdesk
gwsdesk - comment - 24 May 2017

Note: therefor we have in JCE a different function to link to a file ;-) (get it now)

avatar brianteeman
brianteeman - comment - 24 May 2017

which of course means that JCE might not be protecting your uploads

avatar zero-24
zero-24 - comment - 24 May 2017

which of course means that JCE might not be protecting your uploads

JCE is not affected by this because they don't use JHelperMedia's canUpload method. IIRC they use it's own method.

avatar gwsdesk
gwsdesk - comment - 24 May 2017

@brianteeman Just like com_media since I can upload pdf's but they do not get listed in com_media but are in the file system. Sorry Brian, for me wrong argument

avatar gwsdesk
gwsdesk - comment - 24 May 2017

@zero-24 That clarifies thanks

avatar mbabker
mbabker - comment - 24 May 2017

If you can view your uploaded PDFs at administrator/index.php?option=com_media (the main media manager view, not the modal window) then the system is working fine. com_media has two main views, the full view which lists everything, and the popup view which is ONLY images. It is a discussion for another issue whether there should be a popup view showing all files, fully separate from this issue thread. Right now though, the fact that you cannot view uploaded PDFs in the popup window is the system design, for reasons already explained.

avatar gwsdesk
gwsdesk - comment - 24 May 2017

@mbabker I can upload a screencast for you showing that I can upload a pdf both in admin (com_media) and in frontend with JCE? If you say that an upload is not possible we have a bug since I can as shown in the image?

avatar mbabker
mbabker - comment - 24 May 2017

I'm not talking about upload at this point, I'm talking about viewing the directory contents, in response to your screenshots saying that PDF files are not being displayed even though they exist on the server.

avatar zero-24 zero-24 - unassigned - 24 May 17
avatar gwsdesk
gwsdesk - comment - 24 May 2017

OK as suggested by @zero-24 I will open a different issue for this. Thanks for the guidance

avatar regexaurus
regexaurus - comment - 25 May 2017

Related to but not the exact problem described by jen4web:

I'm using DreamHost shared hosting, with PHP 7.0.14 and Joomla! 3.7.2. Neither finfo_open nor mime_content_type are enabled by default. After editing a phprc to enable fileinfo as described in DreamHost's knowledgebase, PDF upload succeeds. But attempting to upload mp3 files fail with "Error - Illegal mime type detected: application/octet-stream" or "Error - Illegal mime type detected: audio/mpeg." A simple workaround is to add these types to Legal MIME Types or perhaps set Check MIME Types to No in com_media options. I'm not sure what (if any) security this implicates. This topic on Stack Overflow may help other Joomla users make sense of the seemingly inconsistent errors when uploading mp3s: why some mp3s on mime_content_type return application/octet-stream.

avatar brianteeman
brianteeman - comment - 25 May 2017

" A simple workaround is to add these types to Legal MIME Types

that is not a workaround that is the expected behaviour

avatar zero-24
zero-24 - comment - 25 May 2017

How did you got the octet-stream error message? What exact steps do you took?

avatar ammaridris
ammaridris - comment - 26 May 2017

Work for me to upload PDF file from Media Manager. I use PHP 7.0.11. Just enable extension = fileinfo.so in php.ini

avatar lazytocook
lazytocook - comment - 26 May 2017

PHP 5.5.3 Joomla 3.7.2 Failing to upload pdfs. All has been well all along but moving to 3.7.1 then updating to 3.7.2 has solved nothing.
mime test

avatar zero-24
zero-24 - comment - 26 May 2017

@lazytocook please get in contact with your hosting and ask about the fileinfo extension to be enabled.

avatar lazytocook
lazytocook - comment - 26 May 2017

@zero-24, thanks will get in touch with my host and get back to you with results.

avatar dstncz
dstncz - comment - 31 May 2017

I've experienced this issue on multiple sites on both 3.7.1 and 3.7.2 running both PHP 5.6 and 7.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16238.

avatar franz-wohlkoenig
franz-wohlkoenig - comment - 31 May 2017

@dstncz have this comment (and following) helped?

avatar dstncz
dstncz - comment - 31 May 2017

My host (siteground) is telling me fileinfo support is enabled
version 1.0.5
libmagic 517

Still having the issue.

avatar zero-24
zero-24 - comment - 31 May 2017

I have just boarded to my plane. When i'm landed i can prepare you a detection script on what is working or not.
Until that please double check the fileinfo extension using the PHP info file. Thanks

avatar brianteeman
brianteeman - comment - 31 May 2017

@dstncz I just checked on my siteground account with php 7.0 and had no problem at all

avatar zero-24
zero-24 - comment - 31 May 2017

if (function_exists('mime_content_type'))
{
	echo 'We use mime magic.';
}
elseif (function_exists('finfo_open'))
{
	echo 'We use fileinfo';
}
else
{
	echo 'mime magic & fileinfo is not enabled';
}
exit;

Please add this to the top of your template index php file (you can use the backend template editor). And show us the result. Thanks.

avatar brianteeman
brianteeman - comment - 31 May 2017

for reference I got "we use mime magic" on my SG account

fileinfo

fileinfo support enabled
version 1.0.5
libmagic 522

avatar dstncz
dstncz - comment - 31 May 2017

Says "we use mime magic"

SiteGround support also got back to me. They are adamant that it is a 3rd party extension causing the issue. We set up a clean Joomla install on the same container and pdfs upload fine.

avatar zero-24
zero-24 - comment - 31 May 2017

thanks for the feedback 😄

avatar brianteeman
brianteeman - comment - 31 May 2017

@dstncz based on all our tests it does sound like they are correct

avatar dstncz
dstncz - comment - 31 May 2017

I'm having a hard time tracking this down. In addition to our site at SG we are also experiencing this issue with 3 additional sites on a separate container hosted at PowerVPS. One of which has barely any extra extensions (3.7.1 with Akeeba Backup, Brute Force Stop, JCE & Rokcandy).

I've tried disabling all the mentioned extensions and still get the mime error.

Related: I've confirmed that fileinfo is enabled on this container as well with the host.

Thought it might possibly be something with CXS, so fully disabled that. Still getting the error.

Any ideas?

avatar dstncz
dstncz - comment - 31 May 2017

I was able to resolve the issue on both our containers. For the sites running 3.7.1 upgrading to 3.7.2 fixed it. For the SG site, we restored to a backup of 3.7.1 then re-upgraded to 3.7.2.

avatar cloakendagger
cloakendagger - comment - 8 Jun 2017

Joomla 3.7.2 with PHP 7.1.1
Was able to replicate the issue and then solved it by enabling fileinfo.so

avatar hamsel42
hamsel42 - comment - 25 Sep 2017

Joomla 3.8.0 with PHP 7.0.22 - same for PHP 7.1.7:

Seems like upgrading from Joomla! 3.7.2 to 3.8.0 has reintroduced the Invalid mime type problem.
phpinfo says version 7.0.22 and fileinfo enabled, yet an attempt to upload a PDF via Media Mgr fails with "Illegal or invalid mime type".

/Perscreen shot 2017-09-25 at 23 28 30

screen shot 2017-09-25 at 23 28 32screen shot 2017-09-25 at 23 28 34screen shot 2017-09-25 at 23 28 36


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16238.

avatar hamsel42
hamsel42 - comment - 25 Sep 2017

BTW:
"We use mime magic."


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16238.

avatar simbus82
simbus82 - comment - 30 Nov 2017

Hi, i have similar problem.
Joomla 3.8.2, PHP 5.6 and php 7.0

I have mime, fileinfo, etc...

After trying to upload a PDF in media manager, even with check mime types OFF and PDF in excluded extension, even with application/octet-stream i receive this error:

0 - Invalid controller: name='file', format='html'

I can't upload with Docman too...

systeminfo-2017-11-30T14_47_16+00_00.txt

EDIT: with K2 Media Manager i can upload without any problem!

EDIT 2: If i try to upload with JCE File Browser i receive "The server returned an invalid JSON response."

avatar robbiejackson
robbiejackson - comment - 22 Dec 2017

I think the problem could be alleviated by changing some of the code in the Media Helper canUpload() method, around lines 270 to 283 in libraries/src/Helper/MediaHelper.php in joomla 3.8.

Change:

if ($mime != false)
{
   :	[check MIME type is legal]
}
// We can't detect the mime type so it looks like an invalid file
else
{
	$app->enqueueMessage(\JText::_('JLIB_MEDIA_ERROR_WARNINVALID_MIME'), 'error');
	return false;
}
if (!\JFactory::getUser()->authorise('core.manage', $component))
{
	$app->enqueueMessage(\JText::_('JLIB_MEDIA_ERROR_WARNNOTADMIN'), 'error');
	return false;
}

to

if ($mime != false)
{
   :	[check MIME type is legal]
}
// We can't detect the mime type so it looks like an invalid file
else
{
	if (!\JFactory::getUser()->authorise('core.manage', $component))
	{
		$app->enqueueMessage(\JText::_('JLIB_MEDIA_ERROR_WARNNOTADMIN'), 'error');
		return false;
	}
}

This means that if for some reason the MIME type can't be ascertained, the code checks if the user has Media "core.manage" access before it disallows the upload. So users with sufficient privilege can still do their job, without having to relax the Restrict Uploads setting. (It would also fix this problem).

To my mind, this also fixes another inconsistency when the Restrict Uploads is set. When a user who doesn't have "core.manage" access tries to upload a non-image file – even though the file has a legal MIME type, the upload is still rejected because the user doesn't have "core.manage" privilege. Which doesn't in my opinion fit with the description of the Restrict Uploads setting "Restrict uploads for lower than manager users to just images if Fileinfo or MIME magic isn't installed.", in that it restricts it even if the system can determine the MIME type, and the file passes the legal MIME types check.

avatar ecoita
ecoita - comment - 25 Jan 2018

Oddly enough, I've looked in many places and could not find answers that worked for me. Found this one below and it worked like a charm. Not sure why though...

Login to your Joomla Backend.
Go to The System Menu and select Global Configuration.
Under the component menus, select Media.
In the Media Section, scroll to Ignored Extensions
Type in the following text:   application/pdf,pdf,txt,text/plain

Try uploading a pdf, that is what fixed it for me.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16238.
avatar Quy
Quy - comment - 15 Mar 2018

@zero-24 Can this be closed?

avatar hamsel42
hamsel42 - comment - 18 Mar 2018

The work-around works, because it is negatively ignored as a media type. Since PDFs play an important role in SoHo site creations, e.g. for ideal communities, PDF as a mime type should be allowed per default. My recommendation would be for the Joomla core team to incorporate a fix into the next Joomla release to allow for PDFs.

avatar zero-24
zero-24 - comment - 19 Mar 2018

Thanks for your recomendation.

PDF has been enabend per default for serveral releases. But for obius reasons we don't overwrite your settings using update ;-)

This is more a issue with your server not beeing able to detect the file extension.

To me it is the expected behavior that if a extension cant bee detected the upload fails (this is the reason i wrote the code this way) but I'm happy to get another opinions. Technical this is a broken server config and well we can implement workarrounds but they will all compromise Security..

avatar carcam
carcam - comment - 20 Mar 2018

In any case the setting "Check MIME Types" is not taken into account, so at least we should provide a fix for that, right?

avatar robbiejackson
robbiejackson - comment - 20 Mar 2018

If the upload is always disallowed if the MIME type can't be determined, then in that case what does the config parameter Restrict Uploads mean? Its tooltip is "Restrict uploads for lower than manager users to just images if Fileinfo or MIME magic isn't installed".

I think there's an inconsistency between the tooltip description of this config parameter and the actual coded functionality, and it would be helpful to fix this.

avatar brianteeman brianteeman - labeled - 25 Mar 2018
avatar Quy
Quy - comment - 12 Apr 2018

@zero-24 I don't see Illegal MIME Types setting being utilized. Do you know why?

avatar ecoita
ecoita - comment - 12 Apr 2018

Yes

On Thu, Mar 15, 2018 at 3:32 PM Quy notifications@github.com wrote:

@zero-24 https://github.com/zero-24 Can this be closed?


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#16238 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ADwCKYnuL3y03QhLJ8NZl6F65BFnrSglks5tes-2gaJpZM4Nk8b9
.

--
Best Regards,

Everett Alexander

Moxy Mediaworks
http://www.moxymediaworks.com http://moxymediaworks.com

avatar zero-24
zero-24 - comment - 12 Apr 2018

@zero-24 I don't see Illegal MIME Types setting being utilized. Do you know why?

Yes because anything that is not allowed is illegal ;)

avatar Quy
Quy - comment - 13 Apr 2018

Yes because anything that is not allowed is illegal ;)

Then why have Illegal MIME Types setting?

Check MIME Types = Use MIME Magic or Fileinfo to try to verify files. Try disabling this if you get invalid mime type errors.

According to the above description, this setting can be used to disable the invalid mime type errors, but that is not possible since it is performed after getMimeType.

Shouldn't it be something like this?

if ($params->get('check_mime', 1))
{
        $mime = $this->getMimeType();
        ....
}
avatar robbiejackson
robbiejackson - comment - 13 Apr 2018

Perhaps it's best to consider what the options should be, and ensure that the code then matches that. The fact that Fileinfo is now an inherent part of PHP has changed things a bit.

I've documented below what the options tooltips are, and what I believe the functionality is in the code, as a starting point. Worth checking I've got it right!

Restrict Uploads
parameter: restrict_uploads
tooltip: Restrict uploads for lower than manager users to just images if Fileinfo or MIME Magic isn't installed.
code: Restrict uploads for lower than manager users to just images

Check MIME Types
parameter: check_mime
tooltip: Use MIME Magic or Fileinfo to attempt to verify files. Try disabling this if you get invalid mime type errors.
code: Only relevant if Restrict Uploads is set to Yes. If Check MIME Types is Yes then it ensures that the MIME type also is valid (ie in addition to the file extension being valid). This applies for all users, including managers. A valid MIME type is one which is in the list of Legal MIME Types. Even if Check MIME Types is set to No, the system checks that the MIME Type can be determined.

Legal Image Extensions (File Types)
parameter: image_extensions
tooltip: Image extensions (file types) you are allowed to upload (comma separated). These are used to check for valid image headers.
code: Extensions (file types) you are allowed to upload (comma separated). [These don't have to be image extensions].

Ignored Extensions
parameter: ignore_extensions
tooltip: Ignored file extensions for MIME type checking and restricted uploads.
code: File extensions of files which any user will always be allowed to upload.

Legal MIME Types
parameter: upload_mime
tooltip: A comma separated list of legal MIME types to upload.
code: If Restrict Uploads is set to Yes and Check MIME Types is set to yes, then the MIME type is checked against this list, and the upload rejected (for all users, including managers) if the MIME type is not found in the list.

Illegal MIME Types
parameter: upload_mime_illegal
tooltip: A comma separated list of illegal MIME types to upload (blacklist).
code: used in com_attachments AttachmentsHelper::upload_file to block uploads.

In addition there is the question of what should happen if the system can't determine the MIME type. At the moment, this results in an error if Restrict Uploads is set to Yes, regardless of whether Check MIME types option is set to Yes or No.

avatar Quy
Quy - comment - 13 Apr 2018
Restrict Uploads
parameter: restrict_uploads
tooltip: Restrict uploads for lower than manager users to just images if Fileinfo or MIME Magic isn't installed.
code: Restrict uploads for lower than manager users to just images

It should include this condition Fileinfo or MIME Magic isn't installed.

Please test PR #20156 to show/hide settings relating to restrict uploads.

avatar robbiejackson
robbiejackson - comment - 14 Apr 2018

I'm not sure how relevant that condition Fileinfo or MIME Magic isn't installed is any longer.
Looking at this page, MIME magic was removed in PHP 5.3, and Fileinfo is now included in standard PHP.

So I think that this is one reason why these tooltip descriptions would benefit from being updated.

avatar Quy
Quy - comment - 14 Apr 2018

Several people in this thread have mentioned that they are using "mime magic".

To me it is the expected behavior that if a extension cant bee detected the upload fails (this is the reason i wrote the code this way) but I'm happy to get another opinions. Technical this is a broken server config and well we can implement workarrounds but they will all compromise Security..

Can we agree with this and not implement workarounds? Which tooltip to rephrase and to what?

avatar robbiejackson
robbiejackson - comment - 14 Apr 2018

Here are some suggestions as a starter.

Personally I would change some of the field names as well as the tooltips. I find it confusing having one field called Legal Extensions and another called Legal Image Extensions. I think that showing the latter only if Restrict Uploads is Yes will help to some extent.

Suggestions for field name changes:

Legal Image Extensions (File Types) - change to Unrestricted Extensions (File Types)
Legal MIME Types - change to Unrestricted MIME Types.

Suggestions for tooltip descriptions:

Restrict Uploads – If set to Yes, then users who have not got manager access are restricted to only a subset of the Legal Extensions which can be uploaded. They may only upload a file if its extension is in the specified Unrestricted Extensions or (if Check MIME Types is set to Yes) if its MIME type is in the specified Unrestricted MIME Types.

Unrestricted Extensions – If Restrict Uploads is Yes, then this is the list of file extensions which any user may upload.

Unrestricted MIME Types – If Restrict Uploads is Yes, then this is the list of MIME Types which any user may upload.

Add a Comment

Login with GitHub to post a comment