The mime type tampering protection as introduced in #58 can be bypassed by manipulating window.elfinderOptions, as those will take precedence over the request-based values; see also b0b8be7.
Although this may be fixed by reverting orders or some other filter on provided options, I still wonder a bit about the goal of this functionality. As frontend code is notoriously unreliable and practically impossible to secure for consumers, I think one should always rely on backend validation to check the provided file if filtering mime types is essential for some reason.
Side note: this protection layer may be somewhat confusing to some (as indicated by the various issue reports related to it I could find). Would it make sense to add an opt-out config flag somewhere, that disables the controller logic regarding mime types altogether?
The mime type tampering protection as introduced in #58 can be bypassed by manipulating
window.elfinderOptions, as those will take precedence over the request-based values; see also b0b8be7.Although this may be fixed by reverting orders or some other filter on provided options, I still wonder a bit about the goal of this functionality. As frontend code is notoriously unreliable and practically impossible to secure for consumers, I think one should always rely on backend validation to check the provided file if filtering mime types is essential for some reason.
Side note: this protection layer may be somewhat confusing to some (as indicated by the various issue reports related to it I could find). Would it make sense to add an opt-out config flag somewhere, that disables the controller logic regarding mime types altogether?