File upload gotcha: PDFs get different mime types per browser

I've had some time over the last few days to start adding some of the "nice to have" features to a client site before delivering it, and one of those was the ability to upload product images and related PDFs, rather than having to teach them to always follow the naming scheme and how to use FTP. While testing my uploads in various browsers, I came across something I found to be very odd.

When you upload a PDF in IE, the file you receive has what I believe is the correct mime type: "application/pdf" however when you upload the same PDF file using the same code, in Firefox (tested in FF 2 and 3), the mime type is "application/download". I can't explain it. I have no idea why it's wrong. But it is, and consistently so. Could this be the one thing that is implemented correctly in IE and incorrectly in Firefox?

At any rate, it's a simple thing to accommodate. Note the accept attribute of the <CFFile> tag in the code sample below:

Posted in ColdFusion | 19 Responses  

19 responses:

• todd sharp Jul 23, 2008 at 12:32 AM I think CF just sniffs the extension to determine MIME type, so why not just do the same? Just get rid of the 'accept' and check variables.result.serverFileExt eq 'pdf'....
  
  Just a thought :)
• Adam Jul 23, 2008 at 12:32 AM @Charlie: I'm definitely interested in what you can find out. I checked the mime type by setting accept to something totally different (ie: "image/jpeg") and uploading a pdf; and then dumping the contents of the cfcatch variable.
  
  @Todd: That doesn't actually check the mime type of the file, just the last few characters of the file name. Not that it's a big risk in this implementation (back-end data administration), but I suppose if I can work this method out I would prefer it. If all else fails, I'll definitely fall back on that.
• Aaron Lynch Jul 23, 2008 at 12:32 AM IE7 also does a neat trick with image MIME's. Turns .jpeg to application/pjpeg
  
  Thanks again IE team, you really keep life interesting!
• Adam Jul 23, 2008 at 12:32 AM Aaron Lynch seems to have run into a similar issue, .
• charlie griefer Jul 23, 2008 at 12:32 AM @todd - i was under the impression that cf actually checked the file to ensure nobody renamed "virus.exe" to "notavirus.pdf"... but seems i was mistaken. i just renamed boobs.jpg (hey where'd that come from?) to filename.pdf and was able to successfully upload it. damn :(
• charlie griefer Jul 23, 2008 at 12:32 AM @adam: i'm on 8.01 (8,0,1,195765). could it have been something addressed in the hotfix? i don't see it listed as an addressed item/issue (looking at http://kb.adobe.com/selfservice/viewContent.do?externalId=kb402604&sliceId=1), but maybe it snuck in? :)
  
  i'm pretty sure i tested on both firefox 2 and 3. i only just upgraded firefox the other day, so it was probably ff2. will have to test ff3 tonite and verify (this is a project on my home machine). to be honest... not sure i even tested on IE (yet).
  
  out of curiosity... how did you test the mime type to ascertain that FF is seeing it as 'application/download'?
• Adam Jul 23, 2008 at 12:32 AM @Charlie: This is CF8 (but not 8.01) running on Windows Server 2003 (I think Enterprise?)
  
  What version of Firefox are you using? I wish I could make a test page from my dev server public for you, but it's internal only and I don't think I can get a VPN request approved for this. ;)
• charlie griefer Jul 23, 2008 at 12:32 AM what version of CF? i'm working on something right now that accepts an upload in PDF form only and the application/pdf by itself tested fine in firefox for me (on CF 8, winXP).
• Aaron Lynch Jul 23, 2008 at 12:32 AM @Todd, CF checks the MIME Type, as in the accept="" parameter, but it is definitely good to run a check on the extension as well.
• todd sharp Jul 23, 2008 at 12:32 AM What I'm saying is, CF uses coldfusion.util.MimeTypeUtils behind the scenes to check the MIME type (when you use accept="") - and that util does nothing but guess your MIME type based on the extension (probably uses java.net.URLConnection.guessContentTypeFromName() behind the scenes). Try it out - rename a 'jpg' to 'pdf' and do coldfusion.util.MimeTypeUtils.guessMimeType('file.pdf') and you'll get 'application/pdf'...
  
  So my whole point is, just sniff the extension yourself... if neq 'pdf' then delete it and move on...
• todd sharp Jul 23, 2008 at 12:32 AM FWIW java.net.URLConnection has a method guessContentTypeFromStream but it only supports:
  
  - application/java-vm
  - application/x-java-serialized-object
  - text/html
  - application/xml
  - image/gif
  - image/x-bitmap
  - image/x-pixmap
  - image/png
  - image/jpeg
  - image/jpg
  - image/vnd.fpx
  - audio/basic
  - audio/x-wav
• todd sharp Jul 23, 2008 at 12:32 AM But I'm obviously wrong now that I read what you guys are saying...the browser must pass the MIME type that CF checks.
  
  I stand corrected...I suck...
• Adam Jul 23, 2008 at 12:32 AM @Todd: If nothing else, all that digging you did is sure to come in handy to someone, somewhere, sometime. ;)
• Aaron Lynch Jul 23, 2008 at 12:32 AM As I said before, it is good security practice to check extension as well, but there is no question that the origination of the file affects the MIME type server side.
• Azadi Saryev Jul 24, 2008 at 10:01 AM I do not remember ever having a problem with PDF files uploading and FF (1, 2 or 3) on any CF version (6-8.0.1).
  
  In your test, was IE and FF on the same computer?
  Could it be that your FF just did not know what a PDF is?
  Is there any PDF reading application installed on the same machine?
  
  Or maybe some FF plug-in is at fault here? Or at any prior time did you ever select to download a pdf file and checked the 'always do this for this type of files' on a FF open/save file dialogue box?
  
  Not sure if any of the above actually can cause the issue - just looking for possible explanations. But it sure seems like an individual computer setup issue to me...
• Adam Jul 25, 2008 at 12:54 AM @Azadi, I will be sure to check into those. Both FF and IE were running on the same machine, which also has Acrobat Reader installed. I may have (but don't recall) told them to "always do [this] with pdf files" -- but would that even matter with an upload?
  
  Something I can try is a blank FF profile.
• Marc Feb 3, 2009 at 1:05 PM Adam, i have the exact same problem here, with the added confusion that accept="application/download,application/pdf" also won't work in FF 3.03.
  All works fine in IE.
• Deepak Jul 22, 2009 at 11:21 AM try "image/pdf"
• Azadi Saryev Nov 22, 2009 at 7:45 PM late to come back, but...
  
  FF uses a file called mimeTypes.rdf, where it stores info about what applications to use to open a file of a particular mime type and what mime type to send the file as when uploading it. this is a per-profile file. what FF stores in it depends on what you select to do with the file when downloading it. some FF add-ons can change that file as well.
  
  the result is that a file you know to be a certain mime type will be uploaded by FF with a totally different mime type. i.e. my pdfs are now uploaded by FF as binary/octet-stream...
  
  Azadi