Validation failed: Upload file has an extension that does not match its contents

Question 1

The Paperclip spoofing validation checks are failing because the file command is not able to accurately determine the filetype.

In your log content type discovered from file command: . - the blank space before the period is the result of the output - i.e. blank. However the other side of the comparison uses purely the file extension which is being correctly picked up as an excel file. Hence your validation failure.

The current version of Paperclip is using file -b --mime-type to determine the file, however --mime-type is not supported by all implementations. There is a change to use --mime instead but it's not in a milestone yet.

I think you have a some options. Which you choose depends on how concerned you are about some dodgy file being uploaded and being called an excel file. If you are worried about this then try option 1; if you are not worried go for option 2 or 3.

1) Override the spoofing check to use --mime instead of --mime-type.

Override the type_from_file_command in an initializer:

module Paperclip
  class MediaTypeSpoofDetector
    private

    def type_from_file_command
      # -- original code removed --
      # begin
      #   Paperclip.run("file", "-b --mime-type :file", :file => @file.path)
      # rescue Cocaine::CommandLineError
      #   ""
      # end

      # -- new code follows --
      begin
         Paperclip.run("file", "-b --mime :file", :file => @file.path)
      rescue Cocaine::CommandLineError
        ""
      end
    end
  end
end

2) Bypass the file check by setting the file type totally from it's file extension.

Set this Paperclip option somewhere that is read during initialisation of the application (e.g. config/application.rb, config/environments/<environment>.rb or an config/initializers/paperclip.rb):

Paperclip.options[:content_type_mappings] = { xlsx: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' }

3) Disable spoofing altogether.

Override the spoofing check by creating something like this in an initializer:

module Paperclip
  class MediaTypeSpoofDetector
    def spoofed?
      false
    end
  end
end

Update:

The validation you have in your model is not the cause of this problem. This validates which types of files you are allowed to load; what you are seeing is Paperclip calculating that the type of the file is valid but its content do not match the type of the file.

Assuming you can get the spoofing validation to work, there is one anomaly with your content validation. The error message you output says "only XML, EXCEL files are allowed", however your actual validation is checking for MS word and excel files, not xml.

If your message is correct and you do want to allow only xml and excel files you should change the content_type validation to be:

validates_attachment_content_type :upload_file, :content_type => %w(application/xml application/vnd.ms-excel application/vnd.openxmlformats-officedocument.spreadsheetml.sheet),
                                                :message => ', Only XML,EXCEL files are allowed. '

Question 2

Faced similar problems tonight on upgrading from 4.2 to 5.3.

Options 1 and 2 from accepted answer didn't worked for me, so I switched from content_type to just file_name validation.

validates_attachment :file, presence: true, file_name: {matches: [/xlsx\Z/]}

Spoofing available but only for concrete attachment - other image/video uploads still checked.

PS: Anyway, paperclip is deprecated and it's time to migrate to ActiveStorage

Question 3

try this way

validates_attachment_content_type :upload_file, :content_type => ["application/msword", "application/vnd.ms-office application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"], :message => ', Only XML,EXCEL files are allowed. '