Files with the wrong extension are opened in the wrong application

[legoktm]

Description

Files with incorrect extensions are opened according to the extension, not the actual file type

Steps to Reproduce

Please specify your environment if that is necessary to reproduce the bug (if in
doubt, include it).

1. Grab a webp image from somewhere, and rename the file extension to be .txt.

Expected Behavior

1. It opens in an image viewing application

Actual Behavior

1. Binary gibberish is shown in a text editor

Comments

MIME type sniffing can be a minefield but this is less about the security implications (everything is inside a dispVM) but rather giving journalists a good UX when a mislabeled file is sent.

[rocodes]

Thanks for filing - I think this should happen, but I took a quick look and realized we should treat it as either ancillary to freedomofpress/securedrop-workstation#1139 and our other issues around standardizing the export/view pipeline, or possibly as an upstream question.

Right now we rely on qvm-open-in-vm (qopen-in-vm) and the mime handling in the dispvm, which relies on xdg-open to pick the right program. It looks like whatever xdg-mime query thinks is the right application is what will be selected (xdg-mime), and I don't know if there's an option to use magic bytes and ignore the extension the way there is with file or mime. Just wanted to dump some info here, will think about this more later.