File upload: auto-detect content type instead of trusting user header #5346
Description
Context
- Bee version: 2.6.0
- Component:
/bzzupload endpoint (pkg/api/bzz.go)
Summary
The /bzz endpoint requires users to provide a Content-Type header when uploading files, but there's no validation that this header matches the actual file content. This leads to incorrect content types being stored in the manifest metadata.
Expected behavior
When a user uploads README.md with Content-Type: image/png, the system should either:
- Reject the request with a validation error, or
- Detect the actual content type and use that instead
Actual behavior
The incorrect Content-Type header is blindly trusted and stored in the manifest. When the file is downloaded later, the browser receives the wrong MIME type and fails to render the content correctly:
- A text file marked as
image/pngdisplays as broken image - Users see corrupted/unreadable content in their browser
Steps to reproduce
- Upload a markdown file with wrong content type:
curl -XPOST \
-H "Swarm-Postage-Batch-Id: <batch-id>" \
-H "Content-Type: image/png" \
--data-binary @README.md \
localhost:1633/bzz- See the file in the browser
http://localhost:1633/bzz/<reference>- Browser tries to render markdown as PNG and fails
Possible solution
Remove the Content-Type header requirement and auto-detect the content type from the file bytes using Go's built-in http.DetectContentType().
Benefits:
- Users don't need to specify the correct MIME type
- Eliminates this class of bugs entirely
- Files are always served with correct content types
- Simpler API (one less required header)
Note
Check other endpoints that accept content type from users for the same issue.