Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to force application/pdf when UPLOADING ?

2 views
Skip to first unread message

LC's No-Spam Newsreading account

unread,
Nov 6, 2008, 12:13:37 PM11/6/08
to
I have developed a set of CGI scripts which allow our local users to
submit items (e.g. job announcements). One of the items involves
checking an uploaded file is a PDF file (other to check image types).

The form action calls the CGI with enctype='multipart/form-data'
and the form contains an INPUT control of type='file'.

I have developed and tested the script on my machine (a Linux SuSE with
firefox) and I had therefore assumed that a PDF file would be identified
in the stream submitted as Content-Type: application/pdf. The CGI tests
the Content-Type and rejects what is not application/pdf.

Now a colleague of mine is trying to use the CGI (others have done it
successfully already) supplying a valid pdf file, but my CGI rejects it
with an error. This is due to the fact his browser generates instead a
Content-Type: application/download.

Note that he is using a Linux Suse more recent than mine and an unknown
firefox version. We solved the issue when he tried from a different
machine with a Linux Suse even more recent, and from there it works.

Now the question is : how can an user instruct his browsers (firefox or
in general) to tag as application/pdf a file submitted for upload ?

I guess some action in some mailcap, mime.types or preferences file
should be possible, but where ?


I would be very reluctant to relax my CGI to accept application/download
or doing further checks on the "magic" number.


note f/up to comp.infosystems.www.browsers.x

--
----------------------------------------------------------------------
nos...@mi.iasf.cnr.it is a newsreading account used by more persons to
avoid unwanted spam. Any mail returning to this address will be rejected.
Users can disclose their e-mail address in the article if they wish so.

teebo

unread,
Nov 6, 2008, 1:50:28 PM11/6/08
to
> I have developed a set of CGI scripts which allow our local users to
> submit items (e.g. job announcements). One of the items involves
> checking an uploaded file is a PDF file (other to check image types).

you should never trust data the user submits, so you must
allways check that the file actually is a pdf file regardless
what the users web browser say it is. (and if you are gonna
republish the pdf file for others to download, you should of course
automaticly check so it doesn't containt the pdf viruses/trojans
that attack common pdf viewers today)

Since you shouldn't trust what Content-Type the browsers say about a file
(and they is probably just deciding based on the file extension anyway)
there is no use on filtering on that.
And do you really want to prevent uploading of files from
computers that have no idea what a pdf file is? the user knows it is
a pdf file, and you verify it is true. that's enough

> Now the question is : how can an user instruct his browsers (firefox or
> in general) to tag as application/pdf a file submitted for upload ?

he don't. he should not need to.

> or doing further checks on the "magic" number.

your program should not only check the beginning of the file, magic numer,
but verify the whole file that it is well formed, and not have other
kinds of data appended to it etc.

LC's No-Spam Newsreading account

unread,
Nov 7, 2008, 4:00:58 AM11/7/08
to
On Thu, 6 Nov 2008, teebo wrote:

> you should never trust data the user submits, so you must [...] check

> so it doesn't containt the pdf viruses/trojans

All this is overshooting.
My submission form is an .htaccess restricted area which used only
inside our institute (no more than 50 people, and all well behaved).

> And do you really want to prevent uploading of files from
> computers that have no idea what a pdf file is? the user knows it is
> a pdf file,

What I want to prevent is exactly that the user submits a .doc or .ps
version of the document he prepared, or that inadvertently clicks on any
other file name,

0 new messages