-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
multipart.File has no MIME type information #1001
Comments
Pull request resolving this is welcome. But I'm afraid this will require changes upstream to the library we are using for request parsing. :/ |
Can't this be worked around by checking uploaded file's extension and contents? Those are sent by browser in the first place and can be spoofed anyway. |
It's kind of possible to try to determine the MIME type server side, using a library that does that, but it's more reliable to use the uploaded file type when the file is just transparently stored server-side. For example, a user might upload a file from a proprietary program that correctly registers its (custom) MIME type in the OS. When downloading that file, the MIME type will still be correct. The server would most likely not recognize the file type and just use Of course there are certain security implications when trusting the client's MIME type, but those are application-specific. |
Until somebody contributes a fix to either Ariadne or upstream to python-multipart, this will be a limitation that will have to be worked around I'm afraid. We just can't maintain custom HTTP parser as part of Ariadne. We are GraphQL library and not HTTP library. Other workarounds that come to mind here are replacing |
Multipart's limitations keep coming up on Encode's GitHub, and will be discussed on our next meeting. 🤞 |
I've started musing if moving WSGI app to use the Werkzeug wouldn't solve the problem. That way people using Ariadne's WSGI app would get layer of sanity between raw We could have a quick Ariadne release with |
Issue on python-multipart repo: Kludex/python-multipart#58 |
Unfortunately, multipart's
File
class seems to have a serious regression compared to cgi'sFieldStorage
class: WhereFieldStorage.type
contained the declared MIME type of the uploaded file (orNone
if not given),File
does not seem to have this information. This makes is basically impossible to download uploaded files while keeping the file type intact.The text was updated successfully, but these errors were encountered: