Add optional MIME type validation for uploaded files using libmagic

[youichi-uda]

Summary

Add an optional feature to validate uploaded file MIME types using libmagic (python-magic), rather than relying solely on client-supplied Content-Type headers.

Motivation

Currently, Django's MultiPartParser accepts the Content-Type header provided by the client without validation (see django/http/multipartparser.py, lines 275-278). While this is documented behavior and developers are responsible for sanitizing user input, many developers are unaware of this and trust UploadedFile.content_type for file type validation.

This can lead to security issues when:

• Developers use content_type to restrict uploads (e.g., "only accept images")
• Applications serve uploaded files with the original Content-Type
• File processing pipelines make decisions based on content_type

Proposal

Add an optional libmagic-based MIME type detection to UploadedFile:

# Option 1: New method
uploaded_file.detected_content_type  # Returns libmagic-detected MIME type

# Option 2: Setting to enable validation
# settings.py
FILE_UPLOAD_VALIDATE_CONTENT_TYPE = True  # Validates Content-Type matches actual file

Considerations

• Dependency: python-magic would be an optional dependency
• Performance: Magic byte detection adds overhead; should be opt-in
• Backwards compatibility: Existing behavior unchanged by default

Prior Art

• Flask/Werkzeug: Developers commonly use python-magic manually
• Rails: Active Storage has built-in content type detection
• Laravel: Has MIME type validation rules

Context

This suggestion came from a discussion with the Django Security Team regarding Content-Type handling in file uploads.

[github-actions]

Thank you youichi-uda for sharing your idea! We have a lot of them so please be patient. You can see the current queue here.

Community instructions

For commenters, please use the emoji reactions on the issue to express support, and/or concern easily. Please use the comments to ask questions or contribute knowledge about the idea. It is unhelpful to post comments of "I'd love this" or "What's the state of this?"

Reaction Guide

• 👍 This is something I would use
• 👎 This is something that would cause problems for me or Django
• 😕 I’m indifferent to this
• 🎉 This is an easy win

[knyghty]

Interesting. I'm not sure about the setting. I think it's quite common to have a mix of forms that cater to many users (where you would want this) and internal forms where the users are trusted where you might want to avoid this overhead. So may a lazy property on the file as you suggest may be better, but I also wonder a bit if we should use this safer default if python-magic is installed without needing any code to change.

I dunno, I think it's not an easy problem at this point.

[DmytroLitvinov]

I used file-validator in my projects.
Also, there were some activities in file-validator by me like Zip bomb validation.

So I definetely upvote for that request since each project as for today has FileField fields as a rule of thumb which we need to validat 👍