> Note: my file manager even identifies the mime type without extension. That is how it should be
No, probing around the file content with a gazillion format-specific heuristics/hacks is not how it should be.
This is a security problem because it makes the probing code a giant attack surface, and there have been CVEs related to precisely that.
The file type should be determined from metadata only (simple, regular and without format-specific idiosyncrasies). Whether that metadata should be a suffix on the filename that's easy to mess up inadvertently is debatable, but Windows has the right idea here.
The .zip file and .xlsx/.docx is a good example of the complexity. It's popular to build certain application files (word docs, excel spreadsheets) that are zip files on the outside. Something with the first bytes 0x50 0x4d 0x03 0x04 (iirc) could be a zip file that the user wants to unzip or an application file that the user wants to open with an application. You need to probe deeper to guess which it is, or rely on the file extension.
No, probing around the file content with a gazillion format-specific heuristics/hacks is not how it should be.
This is a security problem because it makes the probing code a giant attack surface, and there have been CVEs related to precisely that.
The file type should be determined from metadata only (simple, regular and without format-specific idiosyncrasies). Whether that metadata should be a suffix on the filename that's easy to mess up inadvertently is debatable, but Windows has the right idea here.