New validation option to check that file extension matches mime type

[tagliala]

Hi,

I would like to propose a new validation that checks if the extension matches the actual content type of the document. This should help to prevent upload of a .pdf which is actually a .docx

I don't know a good name for this validation, or if it should be an option of content_type, like match_extension: true

I can work on a PR if you are interested

[igorkasyanchuk]

Let's wait a few days for comment's. Could be useful.

[valscion]

This sounds like content type spoofing validation. Similar to what file_validators has: https://github.com/musaffa/file_validators#security

[lavaturtle]

Adding content type spoofing validation sounds like a good idea to me too. I think kt-paperclip has a feature like this: https://github.com/kreeti/kt-paperclip?tab=readme-ov-file#security-validations

[tagliala]

NOTE: Also starting at version 4.0.0, Paperclip has another validation that cannot be turned off. This validation will prevent content type spoofing. That is, uploading a PHP document (for example) as part of the EXIF tags of a well-formed JPEG. This check is limited to the media type (the first part of the MIME type, so, 'text' in text/plain). This will prevent HTML documents from being uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg extension. This validation will only add validation errors to the form. It will not cause errors to be raised.

this is also interesting

[Mth0158]

Yes that looks like a really good addition to the gem, I'll work on it in the coming days, let me know if you want to help :)