File upload gotcha: PDFs get different mime types per browser

I've had some time over the last few days to start adding some of the "nice to have" features to a client site before delivering it, and one of those was the ability to upload product images and related PDFs, rather than having to teach them to always follow the naming scheme and how to use FTP. While testing my uploads in various browsers, I came across something I found to be very odd.

When you upload a PDF in IE, the file you receive has what I believe is the correct mime type: "application/pdf" however when you upload the same PDF file using the same code, in Firefox (tested in FF 2 and 3), the mime type is "application/download". I can't explain it. I have no idea why it's wrong. But it is, and consistently so. Could this be the one thing that is implemented correctly in IE and incorrectly in Firefox?

At any rate, it's a simple thing to accommodate. Note the accept attribute of the <CFFile> tag in the code sample below:

<cftry>
<cffile action="upload" 
        accept="application/download,application/pdf" 
        filefield="form.pdfUpload" 
        nameconflict="overwrite" 
        result="result" 
        destination="#expandPath('/path/to/save/your.pdf')#" />
<cfif variables.result.fileExisted neq "NO">
    <cfset msg = "PDF was overwritten." />
<cfelse>
    <cfset msg = "PDF was saved." />
</cfif>
<cfcatch type="application">
    <cfif findNoCase("The MIME type of the uploaded file", cfcatch.message)>
        <!--- invalid mime type --->
        <cfset msg = "Invalid file type. Please only use a PDF file. File was not saved." />
    </cfif>
</cfcatch>
</cftry>

Related Entries:

in ColdFusion Posted 2008-07-18 12:36

24 responses:

todd sharp
todd sharp 2008-07-23 12:32 AM #
I think CF just sniffs the extension to determine MIME type, so why not just do the same? Just get rid of the 'accept' and check variables.result.serverFileExt eq 'pdf'....

Just a thought :)
Adam
Adam 2008-07-23 12:32 AM #
@Charlie: I'm definitely interested in what you can find out. I checked the mime type by setting accept to something totally different (ie: "image/jpeg") and uploading a pdf; and then dumping the contents of the cfcatch variable.

@Todd: That doesn't actually check the mime type of the file, just the last few characters of the file name. Not that it's a big risk in this implementation (back-end data administration), but I suppose if I can work this method out I would prefer it. If all else fails, I'll definitely fall back on that.
Aaron Lynch
Aaron Lynch 2008-07-23 12:32 AM #
IE7 also does a neat trick with image MIME's. Turns .jpeg to application/pjpeg

Thanks again IE team, you really keep life interesting!
Adam
Adam 2008-07-23 12:32 AM #
Aaron Lynch seems to have run into a similar issue, .
charlie griefer
charlie griefer 2008-07-23 12:32 AM #
@todd - i was under the impression that cf actually checked the file to ensure nobody renamed "virus.exe" to "notavirus.pdf"... but seems i was mistaken. i just renamed boobs.jpg (hey where'd that come from?) to filename.pdf and was able to successfully upload it. damn :(
charlie griefer
charlie griefer 2008-07-23 12:32 AM #
@adam: i'm on 8.01 (8,0,1,195765). could it have been something addressed in the hotfix? i don't see it listed as an addressed item/issue (looking at http://kb.adobe.com/selfservice/viewContent.do?externalId=kb402604&sliceId=1), but maybe it snuck in? :)

i'm pretty sure i tested on both firefox 2 and 3. i only just upgraded firefox the other day, so it was probably ff2. will have to test ff3 tonite and verify (this is a project on my home machine). to be honest... not sure i even tested on IE (yet).

out of curiosity... how did you test the mime type to ascertain that FF is seeing it as 'application/download'?
Adam
Adam 2008-07-23 12:32 AM #
@Charlie: This is CF8 (but not 8.01) running on Windows Server 2003 (I think Enterprise?)

What version of Firefox are you using? I wish I could make a test page from my dev server public for you, but it's internal only and I don't think I can get a VPN request approved for this. ;)
charlie griefer
charlie griefer 2008-07-23 12:32 AM #
what version of CF? i'm working on something right now that accepts an upload in PDF form only and the application/pdf by itself tested fine in firefox for me (on CF 8, winXP).
Aaron Lynch
Aaron Lynch 2008-07-23 12:32 AM #
@Todd, CF checks the MIME Type, as in the accept="" parameter, but it is definitely good to run a check on the extension as well.
todd sharp
todd sharp 2008-07-23 12:32 AM #
What I'm saying is, CF uses coldfusion.util.MimeTypeUtils behind the scenes to check the MIME type (when you use accept="") - and that util does nothing but guess your MIME type based on the extension (probably uses java.net.URLConnection.guessContentTypeFromName() behind the scenes). Try it out - rename a 'jpg' to 'pdf' and do coldfusion.util.MimeTypeUtils.guessMimeType('file.pdf') and you'll get 'application/pdf'...

So my whole point is, just sniff the extension yourself... if neq 'pdf' then delete it and move on...
todd sharp
todd sharp 2008-07-23 12:32 AM #
FWIW java.net.URLConnection has a method guessContentTypeFromStream but it only supports:

- application/java-vm
- application/x-java-serialized-object
- text/html
- application/xml
- image/gif
- image/x-bitmap
- image/x-pixmap
- image/png
- image/jpeg
- image/jpg
- image/vnd.fpx
- audio/basic
- audio/x-wav
todd sharp
todd sharp 2008-07-23 12:32 AM #
But I'm obviously wrong now that I read what you guys are saying...the browser must pass the MIME type that CF checks.

I stand corrected...I suck...
Adam
Adam 2008-07-23 12:32 AM #
@Todd: If nothing else, all that digging you did is sure to come in handy to someone, somewhere, sometime. ;)
Aaron Lynch
Aaron Lynch 2008-07-23 12:32 AM #
As I said before, it is good security practice to check extension as well, but there is no question that the origination of the file affects the MIME type server side.
Azadi Saryev
Azadi Saryev 2008-07-24 10:01 AM #
I do not remember ever having a problem with PDF files uploading and FF (1, 2 or 3) on any CF version (6-8.0.1).

In your test, was IE and FF on the same computer?
Could it be that your FF just did not know what a PDF is?
Is there any PDF reading application installed on the same machine?

Or maybe some FF plug-in is at fault here? Or at any prior time did you ever select to download a pdf file and checked the 'always do this for this type of files' on a FF open/save file dialogue box?

Not sure if any of the above actually can cause the issue - just looking for possible explanations. But it sure seems like an individual computer setup issue to me...
Adam
Adam 2008-07-25 12:54 AM #
@Azadi, I will be sure to check into those. Both FF and IE were running on the same machine, which also has Acrobat Reader installed. I may have (but don't recall) told them to "always do [this] with pdf files" -- but would that even matter with an upload?

Something I can try is a blank FF profile.
Marc
Marc 2009-02-03 1:05 PM #
Adam, i have the exact same problem here, with the added confusion that accept="application/download,application/pdf" also won't work in FF 3.03.
All works fine in IE.
Deepak
Deepak 2009-07-22 11:21 AM #
try "image/pdf"
Azadi Saryev
Azadi Saryev 2009-11-22 7:45 PM #
late to come back, but...

FF uses a file called mimeTypes.rdf, where it stores info about what applications to use to open a file of a particular mime type and what mime type to send the file as when uploading it. this is a per-profile file. what FF stores in it depends on what you select to do with the file when downloading it. some FF add-ons can change that file as well.

the result is that a file you know to be a certain mime type will be uploaded by FF with a totally different mime type. i.e. my pdfs are now uploaded by FF as binary/octet-stream...

Azadi
youvi
youvi 2011-03-29 4:22 AM #
how to upload a pdf file with it's own name??
Rick Smith
Rick Smith 2011-04-30 12:02 AM #
Came across this in an EXTREMELY frustrating quest to figure out why this was happening to me after I upgraded to Firefox 4. In addition to 'application/download' add 'application/x-download' to your list of MIME-types in the cffile accept field. Firefox 4 uses Acrobat X!
Peter Griffin
Peter Griffin 2011-05-19 11:08 AM #
I'm using ColdFusion MX 7 and FF 4.0.1
MIME type is interpreted as 'application/application/pdf.'
Amy O
Amy O 2011-08-17 1:44 PM #
Funny that this thread is still going several years later.

In any case, I ran into this situation today where a number of mime types were still failing while trying to upload a PDF. Since I can't guess what mime types will be mucked around with in the future, I've stopped using the accepts. I am checking the file itself (CF8+ isPDFFile,isImageFile etc on your results.serverFile) once uploaded. If you still want to check the extension (though who's to say virus.exe wasn't renamed to harmless.jpg), you can always grab the result.clientFileExt.
Louis
Louis 2012-03-06 6:56 AM #
This problem has been annoying me for some time now. Explain this, two different computers, same version of FF, same pdf file. Upload works on one but not the other? Can it be addons causing issues?

Leave a comment:

Leave this field empty: