Heard about this on Python Bytes, and wanted to come offer my perspective. As someone who lives in the offensive security world, this seems incredibly risky. My understanding is that mime types are meant to be based on the file contents, and explicitly not relying on the file extension to do that.
I worry that people will adopt this library to do checks on say web uploads. But if you're telling me your site "only accepts images", but I can upload PHP or an EXE or ELF or whatever with a .jpg extension, that seems like something I'm going to exploit.
I'm not a professional developer, so I'm sure there are use cases I'm not seeing. I just always worry that developers will a have similar blind spots to security. Maybe a warning not to use this in production?
I know this is nitpicking, but I think there's a grammatical mistake in the description on GitHub: "without access the file data". Maybe "accessing" or "access to"?
Comments