#195 possibly wrong/untrusted mime_type determination in op.Ajax.php and op.AddDocument.php

[p.kerspe]

mimetype determination in op.Ajax (line 472) and op.AddDocument (line 245) is using the untrusted client side mimetype details, provided by the browser.
This value is know to be not always correct and thus should not be used for proper mimetype determination in the application:
(op.AddDocument.php)
$userfiletype = $_FILES["userfile"]["type"][$file_num];
(op.Ajax.php)
$userfiletype = $_FILES["userfile"]["type"];

a somewhat safe server side mimetype determination should be used instead, e.g.:

  $info = new finfo(FILEINFO_MIME_TYPE);
  $userfiletype = $info->file($userfiletmp);

this should be replaced by server side evaluation of the mimetype in order to guarantee proper mimetypes being stored in the db and by that allowing proper content indexing in lucence for supported files.

Example for a wrong mimetype:
In my local firefox installation (v. 34.0.5 on Windows 7) when uploading PDf files, the type is set to "application/x-download" instead of "application/pdf" in seeddms (since it trusts the browsers wring mimetype.

[Uwe Steinmann]

Will be finally closed in 4.3.19