Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Macro-enabled Excel workbooks incorrectly identified as non-macro-enabled content type #115

Open
timfrazee opened this issue Oct 7, 2024 · 0 comments
Open

Macro-enabled Excel workbooks incorrectly identified as non-macro-enabled content type #115

timfrazee opened this issue Oct 7, 2024 · 0 comments

Comments

@timfrazee
Copy link

Marcel version: 1.0.4
Ruby version: 3.2.3
Rails version: 7.1.3.2

Issue:

Uploading a .xlsm file (Excel macro-enabled workbook). ActionDispatch::Http::UploadedFile carries the correct content-type definition of application/vnd.ms-excel.sheet.macroenabled.12.

Marcel::MimeType#for and Marcel::Magic.by_magic for this file return application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, the expected content-type for a non-macro-enabled workbook.

This causes problems when uploading .xlsm files to S3, which uses the content type to determine the extension of the file upon download. As a result, uploaded .xlsm files are being downloaded from S3 as .xlsx files, which refuse to open due to the incorrect content type.

At a glance, it appears that application/vnd.ms-excel.sheet.macroenabled.12 isn't provided as an option in Marcel::MAGIC.

Workaround:

As a workaround, one can pass the extension only, which does produce the correct content-type. However there are obvious security risks around this approach.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@timfrazee