File upload gotcha: PDFs get different mime types per browser
July 18 2008 by 
Adam
I've had some time over the last few days to start adding some of the "nice to have" features to a client site before delivering it, and one of those was the ability to upload product images and related PDFs, rather than having to teach them to always follow the naming scheme and how to use FTP. While testing my uploads in various browsers, I came across something I found to be very odd.
When you upload a PDF in IE, the file you receive has what I believe is the correct mime type: "application/pdf" however when you upload the same PDF file using the same code, in Firefox (tested in FF 2 and 3), the mime type is "application/download". I can't explain it. I have no idea why it's wrong. But it is, and consistently so. Could this be the one thing that is implemented correctly in IE and incorrectly in Firefox?
At any rate, it's a simple thing to accommodate. Note the accept attribute of the <CFFile> tag in the code sample below:
<cftry>
<cffile action="upload" accept="application/download,application/pdf" filefield="form.pdfUpload" nameconflict="overwrite" result="result" destination="#expandPath('/path/to/save/your.pdf')#" />
<cfif variables.result.fileExisted neq "NO">
<cfset msg = "PDF was overwritten." />
<cfelse>
<cfset msg = "PDF was saved." />
</cfif>
<cfcatch type="application">
<cfif findNoCase("The MIME type of the uploaded file", cfcatch.message)>
<!--- invalid mime type --->
<cfset msg = "Invalid file type. Please only use a PDF file. File was not saved." />
</cfif>
</cfcatch>
</cftry>
Posted in ColdFusion | 
17 comments
I think CF just sniffs the extension to determine MIME type, so why not just do the same? Just get rid of the 'accept' and check variables.result.serverFileExt eq 'pdf'....
Just a thought :)
@Charlie: I'm definitely interested in what you can find out. I checked the mime type by setting accept to something totally different (ie: "image/jpeg") and uploading a pdf; and then dumping the contents of the cfcatch variable.
@Todd: That doesn't actually check the mime type of the file, just the last few characters of the file name. Not that it's a big risk in this implementation (back-end data administration), but I suppose if I can work this method out I would prefer it. If all else fails, I'll definitely fall back on that.
IE7 also does a neat trick with image MIME's. Turns .jpeg to application/pjpeg
Thanks again IE team, you really keep life interesting!
Aaron Lynch seems to have run into a similar issue, .
@todd - i was under the impression that cf actually checked the file to ensure nobody renamed "virus.exe" to "notavirus.pdf"... but seems i was mistaken. i just renamed boobs.jpg (hey where'd that come from?) to filename.pdf and was able to successfully upload it. damn :(
@adam: i'm on 8.01 (8,0,1,195765). could it have been something addressed in the hotfix? i don't see it listed as an addressed item/issue (looking at http://kb.adobe.com/selfservice/viewContent.do?externalId=kb402604&sliceId=1), but maybe it snuck in? :)
i'm pretty sure i tested on both firefox 2 and 3. i only just upgraded firefox the other day, so it was probably ff2. will have to test ff3 tonite and verify (this is a project on my home machine). to be honest... not sure i even tested on IE (yet).
out of curiosity... how did you test the mime type to ascertain that FF is seeing it as 'application/download'?
@Charlie: This is CF8 (but not 8.01) running on Windows Server 2003 (I think Enterprise?)
What version of Firefox are you using? I wish I could make a test page from my dev server public for you, but it's internal only and I don't think I can get a VPN request approved for this. ;)
what version of CF? i'm working on something right now that accepts an upload in PDF form only and the application/pdf by itself tested fine in firefox for me (on CF 8, winXP).
@Todd, CF checks the MIME Type, as in the accept="" parameter, but it is definitely good to run a check on the extension as well.
What I'm saying is, CF uses coldfusion.util.MimeTypeUtils behind the scenes to check the MIME type (when you use accept="") - and that util does nothing but guess your MIME type based on the extension (probably uses java.net.URLConnection.guessContentTypeFromName() behind the scenes). Try it out - rename a 'jpg' to 'pdf' and do coldfusion.util.MimeTypeUtils.guessMimeType('file.pdf') and you'll get 'application/pdf'...
So my whole point is, just sniff the extension yourself... if neq 'pdf' then delete it and move on...
FWIW java.net.URLConnection has a method guessContentTypeFromStream but it only supports:
- application/java-vm
- application/x-java-serialized-object
- text/html
- application/xml
- image/gif
- image/x-bitmap
- image/x-pixmap
- image/png
- image/jpeg
- image/jpg
- image/vnd.fpx
- audio/basic
- audio/x-wav
But I'm obviously wrong now that I read what you guys are saying...the browser must pass the MIME type that CF checks.
I stand corrected...I suck...
@Todd: If nothing else, all that digging you did is sure to come in handy to someone, somewhere, sometime. ;)
As I said before, it is good security practice to check extension as well, but there is no question that the origination of the file affects the MIME type server side.
I do not remember ever having a problem with PDF files uploading and FF (1, 2 or 3) on any CF version (6-8.0.1).
In your test, was IE and FF on the same computer?
Could it be that your FF just did not know what a PDF is?
Is there any PDF reading application installed on the same machine?
Or maybe some FF plug-in is at fault here? Or at any prior time did you ever select to download a pdf file and checked the 'always do this for this type of files' on a FF open/save file dialogue box?
Not sure if any of the above actually can cause the issue - just looking for possible explanations. But it sure seems like an individual computer setup issue to me...
@Azadi, I will be sure to check into those. Both FF and IE were running on the same machine, which also has Acrobat Reader installed. I may have (but don't recall) told them to "always do [this] with pdf files" -- but would that even matter with an upload?
Something I can try is a blank FF profile.
Adam, i have the exact same problem here, with the added confusion that accept="application/download,application/pdf" also won't work in FF 3.03.
All works fine in IE.