问题描述

如果我支持REST API用户上传内容（主要是图片和视频），是否安全地信任 Content-Type 你肯定不应该盲目地相信 Content-type 标题或任何其他标题。这些东西应该用来告诉你如何处理请求的决定。因此， Content-type：application / json 应该允许你将消息主体解释为一个json对象 - 然后可以将这种请求传递给一个JSON解串器来绑定它



忽略 Content-type 头是错误的，因为请求主体包含数据其中看起来像别的东西。如果请求内部不一致，则应拒绝该请求。发送 Content-type 标题是一回事，但是标题是错误的另一个问题。



所以，你可能想使用某种自动检测的唯一情况应该是你没有关于内容的合理信息 - Content-Type 是非常通用的（例如 / ），或根本不存在。在这种情况下，确定某种自动检测是否可能或有价值是值得的。


If I'm supporting the upload of content (mostly images and video) by my REST API's users, is it safe to trust the Content-Type they declare in (multipart) uploads? Or should I, instead, run some kind of "media type detection" on the content (using, for example, Apache Tika) to ensure that the declared media type corresponds to the detected, actual one? Am I being over-zealous by introducing this media type detection step?

You certainly shouldn't blindly trust the Content-type header, or any other header. These things should be used to inform your decisions about how to process the request. So, Content-type: application/json should allow you to interpret the message body as a json object - that sort of request might then be passed to a JSON deserialiser to bind it to an object.

It would be wrong to ignore the Content-type header just because the request body contains data which looks like something else. If the request is internally inconsistent then it should be rejected. It's one thing not to send a Content-type header but quite another for the header to be wrong.

So, the only situation where you might want to use some sort of automatic detection should be where you have no reasonable information about the content - either Content-Type is very generic (such as "/") or not present at all. In that situation it's worth deciding whether some kind of autodetection is possible or valuable.