UploadedFile->guessExtenstion() & Config/Mimes::guessExtensionFromType() improvements.

[nowackipawel]

#1367
guessExtension() more predictable

[lonnieezell]

The point of that method is to guess the file type without any user-supplied input and your variation uses the client-supplied file extension which is a potential security issue. With your version someone could pass a potentially harmful file but give it an extension that appeared harmless. If the app was poorly programmed it could potentially be something that gets executed, or be javascript that gets displayed in someone's browser when they thought it was an image, etc.

[nowackipawel]

Ofc, you are right and I agree in 100% about point of that method, but for extensions like
jp2, j2k, jpf, jpg2, jpx, jpm, mj2, mjp2 this method will return jp2 - additional parameter allows to return the same extension like in call if there are many extensions with the same mime type.

I think it will be more natural to get the same extension like client provide if its mime type is correct than random one. Doing this I was thinking about security, and I don't see any cons of changing it in that way.

@lonnieezell am I wrong with my thinking?

[lonnieezell]

I'm sorry. I read the logic wrong the other night. What you're doing there actually does work and still keeps things safe. Sorry about that. Will merge.

[nowackipawel]

thx.

[daljit3]

Hi - there is an issue with the new update or maybe due to changes by someone else.

in Config/Mimes.php this method below returns null.

public static function guessExtensionFromType(string $type, ?string $proposed_extension = null) {
return null;
}

in System/HTTP/Files/UploadedFile.php return type must be string - so the null return from the above throws a critical error.

public function guessExtension(): string 
{
	return \Config\Mimes::guessExtensionFromType($this->getMimeType(), $this->getClientExtension());
}

CRITICAL - 2018-10-31 09:35:20 --> Return value of CodeIgniter\HTTP\Files\UploadedFile::guessExtension() must be of the type string, null returned
#0 /var/www/myproject/system/HTTP/Files/UploadedFile.php(350): CodeIgniter\HTTP\Files\UploadedFile->guessExtension()

[daljit3]

Shall I report it as a bug ?

[nowackipawel]

Will fix it asap - tmrw .
Ofc one small change is necessary - there should not be a type hinting.

[nowackipawel]

Type hinting of uploadfile method was exact the same as was in File . However type hinting should be ?string method of Config\Mimes could return null. Pr#1399