Make WordPress Core

Ticket #11946: 11946.4.patch

File 11946.4.patch, 7.4 KB (added by Viper007Bond, 15 years ago)

Introduce new helper function and use it in all 3 upload functions

  • wp-admin/includes/file.php

     
    306306
    307307        // A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter.
    308308        if ( $test_type ) {
    309                 $wp_filetype = wp_check_filetype( $file['name'], $mimes );
     309                $wp_filetype = wp_check_filetype_and_ext( $file['tmp_name'], $file['name'], $mimes );
    310310
    311311                extract( $wp_filetype );
    312312
     313                // Check to see if wp_check_filetype_and_ext() determined the filename was incorrect
     314                if ( $proper_filename )
     315                        $file['name'] = $proper_filename;
     316
    313317                if ( ( !$type || !$ext ) && !current_user_can( 'unfiltered_upload' ) )
    314318                        return call_user_func($upload_error_handler, $file, __( 'File type does not meet security guidelines. Try another.' ));
    315319
     
    416420
    417421        // A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter.
    418422        if ( $test_type ) {
    419                 $wp_filetype = wp_check_filetype( $file['name'], $mimes );
     423                $wp_filetype = wp_check_filetype_and_ext( $file['tmp_name'], $file['name'], $mimes );
    420424
    421425                extract( $wp_filetype );
    422426
    423                 // If the file claims to be an image, validate it's extension
    424                 if ( function_exists('getimagesize') && !empty( $type ) && 'image/' == substr( $type, 0, 6 ) && is_uploaded_file( $file['tmp_name'] ) ) {
    425                         // Attempt to figure out what type of image it really is
    426                         $imgstats = @getimagesize( $file['tmp_name'] );
     427                // Check to see if wp_check_filetype_and_ext() determined the filename was incorrect
     428                if ( $proper_filename )
     429                        $file['name'] = $proper_filename;
    427430
    428                         // If getimagesize() knows what kind of image it really is and if the real MIME doesn't match the claimed MIME
    429                         if ( !empty($imgstats['mime']) && $imgstats['mime'] != $type ) {
    430                                 // This is a simplified array of MIMEs that getimagesize() can detect and their extensions
    431                                 $mime_to_ext = apply_filters( 'getimagesize_mimes_to_exts', array(
    432                                         'image/jpeg' => 'jpg',
    433                                         'image/png'  => 'png',
    434                                         'image/gif'  => 'gif',
    435                                         'image/bmp'  => 'bmp',
    436                                         'image/tiff' => 'tif',
    437                                 ) );
    438 
    439                                 // Replace whatever's after the last period in the filename with the correct extension
    440                                 if ( !empty($mime_to_ext[$imgstats['mime']]) ) {
    441                                         $filename_parts = explode( '.', $file['name'] );
    442                                         array_pop( $filename_parts );
    443                                         $filename_parts[] = $mime_to_ext[$imgstats['mime']];
    444                                         $file['name'] = implode( '.', $filename_parts );
    445 
    446                                         // Re-validate the extension / MIME
    447                                         $wp_filetype = wp_check_filetype( $file['name'], $mimes );
    448                                         extract( $wp_filetype );
    449                                 }
    450                         }
    451                 }
    452 
    453431                if ( ( !$type || !$ext ) && !current_user_can( 'unfiltered_upload' ) )
    454432                        return $upload_error_handler( $file, __( 'File type does not meet security guidelines. Try another.' ));
    455433
  • wp-includes/functions.php

     
    22572257 * @param null $deprecated Never used. Set to null.
    22582258 * @param mixed $bits File content
    22592259 * @param string $time Optional. Time formatted in 'yyyy/mm'.
     2260 * @param array $additional_args Optional. Additional arguments.
    22602261 * @return array
    22612262 */
    2262 function wp_upload_bits( $name, $deprecated, $bits, $time = null ) {
     2263function wp_upload_bits( $name, $deprecated, $bits, $time = null, $additional_args = false ) {
    22632264        if ( !empty( $deprecated ) )
    22642265                _deprecated_argument( __FUNCTION__, '2.0' );
    22652266
     2267        $default_additional_args = array( 'validate_extension' => true, 'mimes' => false );
     2268        $additional_args = wp_parse_args( $additional_args, $default_additional_args );
     2269
    22662270        if ( empty( $name ) )
    22672271                return array( 'error' => __( 'Empty filename' ) );
    22682272
     
    23012305        $perms = $perms & 0000666;
    23022306        @ chmod( $new_file, $perms );
    23032307
     2308        // Attempt to validate the extension as being correct
     2309        if ( $additional_args['validate_extension'] ) {
     2310                $wp_filetype = wp_check_filetype_and_ext( $new_file, $name, $additional_args['mimes'] );
     2311
     2312                // This will be set if the original filename was invalid
     2313                if ( $wp_filetype['proper_filename'] ) {
     2314                        $filename = wp_unique_filename( $upload['path'], $wp_filetype['proper_filename'] );
     2315                        $new_file_path = $upload['path'] . "/$filename";
     2316                        rename( $new_file, $new_file_path );
     2317                        $new_file = $new_file_path;
     2318                }
     2319        }
     2320
    23042321        // Compute the URL
    23052322        $url = $upload['url'] . "/$filename";
    23062323
     
    23632380}
    23642381
    23652382/**
     2383 * Attempt to determine the real file type of a file.
     2384 * If unable to, the file name extension will be used to determine type.
     2385 *
     2386 * If it's determined that the extension does not match the file's real type,
     2387 * then the "proper_filename" value will be set with a proper filename and extension.
     2388 *
     2389 * Currently this function only supports validating images known to getimagesize().
     2390 *
     2391 * @since 3.0
     2392 *
     2393 * @param string $file Full path to the image.
     2394 * @param string $filename The filename of the image (may differ from $file due to $file being in a tmp directory)
     2395 * @param array $mimes Optional. Key is the file extension with value as the mime type.
     2396 * @return array Values for the extension, MIME, and either a corrected filename or false if original $filename is valid
     2397 */
     2398function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) {
     2399
     2400        $proper_filename = false;
     2401
     2402        // Do basic extension validation and MIME mapping
     2403        $wp_filetype = wp_check_filetype( $filename, $mimes );
     2404        extract( $wp_filetype );
     2405
     2406        // We can't do any further validation without a file to work with
     2407        if ( !file_exists( $file ) )
     2408                return compact( 'ext', 'type', 'proper_filename' );
     2409
     2410        // We're able to validate images using GD
     2411        if ( $type && 'image/' == substr( $type, 0, 6 ) && function_exists('getimagesize') ) {
     2412
     2413                // Attempt to figure out what type of image it actually is
     2414                $imgstats = @getimagesize( $file );
     2415
     2416                // If getimagesize() knows what kind of image it really is and if the real MIME doesn't match the claimed MIME
     2417                if ( !empty($imgstats['mime']) && $imgstats['mime'] != $type ) {
     2418                        // This is a simplified array of MIMEs that getimagesize() can detect and their extensions
     2419                        // You shouldn't neeed to use this filter, but it's here just incase
     2420                        $mime_to_ext = apply_filters( 'getimagesize_mimes_to_exts', array(
     2421                                'image/jpeg' => 'jpg',
     2422                                'image/png'  => 'png',
     2423                                'image/gif'  => 'gif',
     2424                                'image/bmp'  => 'bmp',
     2425                                'image/tiff' => 'tif',
     2426                        ) );
     2427
     2428                        // Replace whatever's after the last period in the filename with the correct extension
     2429                        if ( !empty($mime_to_ext[$imgstats['mime']]) ) {
     2430                                $filename_parts = explode( '.', $filename );
     2431                                array_pop( $filename_parts );
     2432                                $filename_parts[] = $mime_to_ext[$imgstats['mime']];
     2433                                $new_filename = implode( '.', $filename_parts );
     2434
     2435                                if ( $new_filename != $filename )
     2436                                        $proper_filename = $new_filename; // Mark that it changed
     2437
     2438                                // Redefine the extension / MIME
     2439                                $wp_filetype = wp_check_filetype( $new_filename, $mimes );
     2440                                extract( $wp_filetype );
     2441                        }
     2442                }
     2443        }
     2444
     2445        // Let plugins try and validate other types of files
     2446        // Should return an array in the style of array( 'ext' => $ext, 'type' => $type, 'proper_filename' => $proper_filename )
     2447        return apply_filters( 'wp_check_filetype_and_ext', compact( 'ext', 'type', 'proper_filename' ), $file, $filename, $mimes );
     2448}
     2449
     2450/**
    23662451 * Retrieve list of allowed mime types and file extensions.
    23672452 *
    23682453 * @since 2.8.6