Overview

Our Upload_Validator limits the file extensions you're allowed to upload via File.allowed_extensions. It does not perform any mime type sniffing to verify the contents of that file actually match its declared extension. This isn't a security issue as such (it was previously discussed in https://github.com/silverstripe-security/security-issues/issues/41), but can become dangerous if it is combined with a mismatch between the file extensions which are allowed to upload, the ability of a web server environment to detect the mime type on those file extensions (through direct mapping, or "magic" detection), and a lack of nosniff headers in your response.

The underlying issue here is that we've documented file uploads in the context of "allowed extensions", while we should really ask devs to set "allowed mime types".

Status Quo

We do optionally support mime type upload validation via https://github.com/silverstripe/silverstripe-mimevalidator, which is implemented in CWP but can be loaded into any SilverStripe project. It uses PHP's fileinfo module, which could lead to denied uploads if the sniffing fails. It works in addition to the Upload_Validator in core, so validates both extensions and mimetypes. Note that fileinfo is a required module by core according to our server requirements (as well as the flysystem and intervention third party packages).

Mime Type Sources

• HTTP::get_mime_type() has a fallback for a manual list of HTTP.MimeTypes if fileinfo isn't availble. That's unnecessary given we require it in core, but part of our documented API surface. This has the structural flaw of not allowing multiple mime types per extension, so is basically useless - it's a "many many" relationship.
• Mimevalidator has an additional MimeUploadValidator.MimeTypes to work around that issue - see getExpectedMimes()

Options

Option 1: Point devs to optional module in our secure coding practices, and rely on mime detection during download rather than upload
Option 2a: Add module to 4.x framework as-is (only adjust namespace?)
Option 2b: Fold module code into 4.x frameworkd via Upload_Validator in addition to extension-based checks
Option 2c: Fold module into 4.x framework via Upload_Validator, only perform mime-based checks, but continue allowing extension-based checks (via the existing getExpectedMimes() workaround). In case somebody has allowed an extension that isn't in those 900+ mime types, it'd be a breaking change.
Option 2d: Fold module code into 5.x framework via Upload_Validator, only perform mime-based checks, and remove support for extension based checks (throw exception)
Option 3: Add module to a "better recipe", going beyond the basics.

So the question is if mime validation on upload is the baseline, or an optional add-on. We already maintain mimevalidator as a supported module. I think we need to foster the behaviour shift in devs from ambiguous file extensions to safer mime types, it's just a matter in what timeframe that happens.

Notes

• Symfony recommends guessing the extension and mime type validation constraints by default. They notably don't provide a "file extension" constraint, presumably because that's considered inferior to mime types.
• There's actually a (IANA maintained) official list of mime-types, and a map to file extensions: https://en.wikipedia.org/wiki/Media_type#mime.types.

/cc @silverstripe/core-team

Pull Requests

• [x] https://github.com/silverstripe/cwp/pull/268
• [x] https://github.com/silverstripe/cwp-recipe-core/pull/14
• [x] https://github.com/silverstripe/silverstripe-framework/pull/9505
• [x] https://github.com/silverstripe/recipe-core/pull/53
• [x] https://github.com/silverstripe/silverstripe-mimevalidator/pull/38
• [x] https://github.com/silverstripe/cwp/pull/270
• [x] https://github.com/silverstripe/recipe-core/pull/54