Same server, same file, different mime types

Question

Same application running on two different servers (dev/prod). The servers are running the same version of pretty much everything as far as I can tell (CF, Java, IIS, etc).

On development I upload a specific Word doc and ColdFusion identifies it as application/msword and on prod it's identified as application/x-tika-msoffice.

I'm trying to diagnose why. My fix is to allow the application/x-tika-msoffice mime type in my uploads, but still, what can cause it to be different. If there are some specific server settings I need to check please let me know, but everything I can think of seems the same between prod and dev.

Answer 1

The MIME type is sent by the browser so that is probably explains the difference you are seeing. Perhaps on development you have Office installed and on the production server you hopefully do not.

You should never use the MIME type to determine if a file should be uploaded for this reason -- instead always use the file extension. This mime type can easily be spoofed and is thus pointless to rely upon for validation.

CF10+ allows you to specify a file extension list in the accept attribute of the cffile tag. It also adds the strict attribute and defaults it to true which does a server side MIME type inspection (essentially the same as running fileGetMimeType() but even with strict=true you still cannot rely upon this file inspection, extensions are more important (do both).