I've had this question for a while: how exactly is the mime type of a file determined? I believe this is done by checking if specific bytes of the file contain any of the known magic numbers / file signatures, right?
If so, this poses another question, lets say I upload a bash script with a fake GIF file signature to a website that only allows images to be uploaded, what is going to happen? Either:
- the mimetype detection routine is smart enough to detect fake signatures, or
-
image/gifis wrongly returned as the mimetype and the upload is allowed to continue
I don't have an HEX editor installed ATM, and I don't like to form security-related conclusions from tests as I might miss (or misinterpret) something, so my question is: which one of the above options is correct?
Also, are there any other best practices (besides checking the mimetype) to assure that any given file is in fact what it seems / needs (or is allowed) to be? Thanks in advance.
PS: Just to be clear, I'm not asking about the type index in the $_FILES superglobal.
