Safely allow upload of web fonts (ttf, eot, svg, woff, otf) via MIME TYPES / fil

I'm trying to allow safe upload of web fonts in our application, by checking against mime types.开发者_Python百科 This works for most types of files we allow, but it's a problem for web fonts.

We check the mime-type by using PHP's http://php.net/manual/en/book.fileinfo.php

The problem is that php will detect all web fonts as mime "application/octet-stream", but allowing that, would allow .exe or many other possibly dangerous file uploads.

What is the best way to handle upload of this kind of files?

Find a magic file that contains info about the font formats, and pass that to finfo_open().

I don't rely on mime checkers built in the PHP. I always have problems with them. If your running linux, use the PHP's exec command to execute mimetype command in bash and return it to PHP.

U should use phpinfo to check extension, mime type can be fake, and U can get .php file with mime type of a pdf.

EDIT

$file = "abc.ttf";

if(in_array(strtolower(pathinfo(file, PATHINFO_EXTENSION)), array("ttf")))
{
    // OK
}

u can add more extensions to array

If TTF files are the only ones allowed to be uploaded, use this: http://www.phpkode.com/scripts/item/ttf-info-plus/