php - Why does Laravel's getMimeType() method identify a file as "application/octet-stream" when the file has the type attribute of "audio/mpeg"?

Question

I'm trying to upload a MP3 file to a Laravel application and have ran into an issue where even though the file has an attribute set to "audio/mpeg" it is uploaded as a "application/octet-stream" (.bin) file. When I try to die and dump the file on the server-side code with:

dd($request->file('file'));

I get:

UploadedFile {#187 ▼
  -test: false
  -originalName: "CUS12309821-20-AUG-2016-13-48-13.mp3"
  -mimeType: "audio/mpeg"
  -size: 47000471
  -error: 0
  path: "/private/var/folders/c7/6ws0lxy95dd_lhz1k067_zkc0000gn/T"
  filename: "phpyZCsbU"
  basename: "phpyZCsbU"
  pathname: "/private/var/folders/c7/6ws0lxy95dd_lhz1k067_zkc0000gn/T/phpyZCsbU"
  extension: ""
  realPath: "/private/var/folders/c7/6ws0lxy95dd_lhz1k067_zkc0000gn/T/phpyZCsbU"
  aTime: 2016-09-20 12:56:00
  mTime: 2016-09-20 12:56:00
  cTime: 2016-09-20 12:56:00
  inode: 4565593
  size: 47000471
  perms: 0100600
  owner: 501
  group: 20
  type: "file"
  writable: true
  readable: true
  executable: false
  file: true
  dir: false
  link: false
}

Look at how when I use this method, it does indeed say that the file attribute for mimeType is the correct "audio/mpeg" format. However when I call the getMimeType() method on the file after it's uploaded, I get:

"application/octet-stream"

Here's the code in the routed method:

/**
 * Store a newly created resource in storage.
 *
 * @param  IlluminateHttpRequest  $request
 * @return IlluminateHttpResponse
 */
public function store(Request $request)
{
    $file = $request->all();

    $filePath = Storage::putFile('file', $request->file('files'));

    dd($request->file('file')->getMimeType());

    $file['path'] = Storage::url($filePath);
    $file['size'] = Storage::size($filePath);
    $file['type'] = $request->file('file')->getMimeType();

    return $file;
}

This problem is seemingly unique in that I'm using the Laravel framework, where others with this problem are using vanilla PHP. Additionally, the excel file others may us may have reported itself as a application/octet-stream instead of an excel file. Finally, I believe this may be a issue with the guess() method, which is called by the getMethodType(). Someone with more Laravel experience could probably confirm this.

Answer 1

The UploadedFile object is ultimately extended from SymfonyComponentHttpFoundationFileUploadedFile which get/sets the mimeType from The type of the file as provided by PHP.

To access that mimeType you would need to call $file->getClientMimeType()

However in the Symfony docblock for the function it suggests:

The client mime type is extracted from the request from which the file was uploaded, so it should not be considered as a safe value.

For a trusted mime type, use getMimeType() instead (which guesses the mime type based on the file content).

In your case however $file->getMimeType() which should be trusted and guesses the mime type from the contents, however it returns something as if it cannot determine the mime type, being "application/octet-stream"

Additional information

To help you decide. Basically getClientMimeType() would return the mime type that was set by the browser.

The getMimeType call guesses the mime type using two different techniques that I can see:

1. Using a binary mime type technique looking at the output of the following command file -b --mime %s 2>/dev/null if it is supported.

2. The second technique is using the finfo_open command if it does exist inside php.

If both 1. and 2. exists on your system, from what I see 2. will take preference, and 1. will be the fallback.

I personally would favour the results from getMimeType() for security. However, it would be another interesting question to ask "How reliable is browser mime type detection, and what techniques are used" :-)

Updated example

I include an example for you.

For me doing a check on a "DropboxInstalled.dmg", here are my results:

1. using file -b --mime DropboxInstaller.dmg from a commandline (terminal) returns application/octet-stream

2. using finfo_open functionality

$finfo = new finfo(FILEINFO_MIME_TYPE);
echo $finfo->file('./DropboxInstaller.dmg');

returns application/x-iso9660-image