Request: Add file validation based on real MIME type (not just extension) in Pro Forms

noobato1 · September 22, 2025, 4:50pm

Hi Daniele,
Currently, file uploads in Pro Forms rely on extension checks (via filepond.js) to validate allowed file types. The problem is that this can be bypassed by simply renaming an unsafe file (e.g., malware.exe → image.png).

For stronger security, it would be great if Bricksforge Pro Forms could validate the real MIME type of the file content, similar to what the plugin Lord of the Files does. This way, uploads would be checked against what the file truly is, not just the extension provided by the client.

References:

Lord of the Files plugin on WordPress.org
PHP’s finfo_file

This would make Pro Forms much more secure out of the box, without extra dependencies.

Thanks for considering!

Daniele · September 23, 2025, 7:36am

Hey Thank you! Did you already test to rename an unsafe file to a valid extension? This should not work, as we double check on server side for the mime type. On frontend, it will probably pass because of the simple Filepond check, but the server should not allow the submission.

noobato1 · September 23, 2025, 2:55pm

Hi Daniele, thanks!
Yes, I already did a test to rename a file, in this case, a “malware” called EICAR to test the upload security and it did pass:

When download the file (.png) Microsoft Defender detected it.
BTW, I only setted up to allow images and videos

Daniele · September 25, 2025, 10:16am

Got it! I’ve added some additional checks to ensure submissions are blocked in such cases. Really appreciate you pointing this out to us Will be deployed in the next update.