You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Parsing file headers for content type is inefficient and can be problematic on certain file systems. For large systems the inefficiency can add up.
I've worked through the code and it does not seem necessary to automatically detect content type on each upload. Is content type needed as part of the core upload process? It seems to me only important if we are filtering by type, such as content_type_whitelist.
Currently calls to SanitizedFile#content_type will trigger a parse of the file headers to determine file type. On a default upload, the specific pathway is through the move_to and copy_to methods.
I want to create a PR to make auto content type detection optional.
This would be through the standard Uploader::Configuration mechanisms. The problem with this is that I need to pull content type detection out of SanitizedFile and in to the Uploader itself, because otherwise SanitizedFile does not have access to the configuration.
This is a substantial change so I wanted to throw it out there before I proceeded. Does the community have any feedback on this?
The text was updated successfully, but these errors were encountered:
This was introduced as a mitigation to ImageTragick in #1934.
I guess Content-type spoofing prevention will be somewhat important, and also ActiveStorage uses similar auto-detection.
But some sort of efficiency improvement may be possible...
Parsing file headers for content type is inefficient and can be problematic on certain file systems. For large systems the inefficiency can add up.
I've worked through the code and it does not seem necessary to automatically detect content type on each upload. Is content type needed as part of the core upload process? It seems to me only important if we are filtering by type, such as
content_type_whitelist
.Currently calls to
SanitizedFile#content_type
will trigger a parse of the file headers to determine file type. On a default upload, the specific pathway is through themove_to
andcopy_to
methods.I want to create a PR to make auto content type detection optional.
This would be through the standard
Uploader::Configuration
mechanisms. The problem with this is that I need to pull content type detection out ofSanitizedFile
and in to theUploader
itself, because otherwiseSanitizedFile
does not have access to the configuration.This is a substantial change so I wanted to throw it out there before I proceeded. Does the community have any feedback on this?
The text was updated successfully, but these errors were encountered: