If I put jpg header (1st line of a jpg file) in a HTML file and save it with jpg extension, then I can bypass the MIME type checking. eg:
ÿØÿà JFIF d d ÿì Ducky < ÿî Adobe dÀ ÿÛ „
hyuhjjh
<script>
alert(hello);
</script>
If I save the above code as a JPG file then it can bypass the MIME type checking.
echo mime_content_type('x.html.jpg'); //shows 'image/jpeg'
I want the script to check the uploaded file content is purely of that content type( jpg/png or pdf or 3gp/mov). For image, document and video type.
OR doesn't contain any script.
Actually I need it for Drupal. So I have to use custom PHP code. In Drupal 7.50 I have used "File Upload Secure Validator" to validate uploaded file MIME type, But it is useless for the above type of situation.
You need to use some library to actually load the file. For images I used GD to open the target image and check if it returns some reasonable height and width.
Same can be done with the other types. I guess that for video files this can be very resource-demanding, but it's the only way to be sure.