8👍
✅
You cannot trust any of the file’s metadata to determine the content. I can send you a file with a .txt extension that could be executed on your machine.
The only relatively safe way to handle this is by inspecting the content. This is not simple, so you should use one of the existing third-party libraries like python-magic.
Even then, there are ways to fool this, wrapping content in the comment fields of other content, etc..
You should never execute user submitted content.
Source:stackexchange.com