id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
17061	media_sideload_image() allows upload of 301-redirected non-images	Coolkevman		"When you give {{{media_sideload_image()}}} URLs that are not images, an error is raised.

If for example I do:
{{{
media_sideload_image(""http://google.com"", $post_id, $img_desc);
}}}
then I get this error:
{{{
Sorry, this file type is not permitted for security reasons.
}}}
And this is absolutely normal and expected.

But there is a case when {{{media_sideload_image()}}} do not detect non-images. This case is when the URL given to the function looks like an image but is redirected by Apache to another place.

For example, on my server, this URL:
{{{
http://coolcavemen.com/e107_plugins/autogallery/Gallery/default.jpg
}}}
redirects to:
{{{
http://coolcavemen.com/photos/
}}}

Now if in some PHP code I do:
{{{
media_sideload_image(""http://coolcavemen.com/e107_plugins/autogallery/Gallery/default.jpg"", $post_id, $img_desc);
}}}
then no error is raised and I end up with the HTML served at {{{http://coolcavemen.com/photos/}}} being uploaded to my WordPress site as-is:
{{{
kevin@kev-laptop$ file ./wp-content/uploads/2011/04/default.jpg
./wp-content/uploads/2011/04/default.jpg: HTML document text
}}}

Of course this upload appears broken in the media manager, as you can see in this screenshot: http://twitpic.com/4hlyks"	defect (bug)	new	normal	Awaiting Review	Media	3.1.1	normal		needs-patch	kpayne@… mike.schroder@…