Why is it not safe to determine file type by its extension? - Javascript - PhpOut

Kallzvx
April 25, 2023
145 views
0 votes
2 Answers

I came across this answer: https://stackoverflow.com/a/70602109/6880256 and there is a line saying:

TLDR on that is you must assert because the file extension can’t be used to determine the file type for security reasons.

What is the security reason it is talking about?

Tags: javascript security

Answers

- LegitCodeRed
- April 25, 2023 at 11:21 pm
- 0 votes
0
Well it just means, you cant tell from the file extension like .jpg that its not an executable or any other file.

Login or Signup to reply.

- SeamonDev
- April 25, 2023 at 11:23 pm
- 0 votes
0
The security reason behind this that you cannot assume the content of a file because of it’s file ending.
This basic Html file:
```
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Website Title</title>
  </head>
  <body>
 </body>
</html>
```
can be saved as .ts, .js, .html, .fxml, .mp4 whatever you can think of basically.
If you have a service and you only want to store .mp4 files on this service, imagine for example YouTube, then you can only assure that this file is infact a .mp4 file if you read its content and not only because its file ending is .mp4.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.