WordPress.org

Make WordPress Core

Changeset 12165


Ignore:
Timestamp:
11/11/2009 11:07:29 PM (11 years ago)
Author:
ryan
Message:

Sanitize filenames with multiple extensions. see #11122

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r12088 r12165  
    652652    $filename = preg_replace('/[\s-]+/', '-', $filename);
    653653    $filename = trim($filename, '.-_');
     654
     655    // Split the filename into a base and extension[s]
     656    $parts = explode('.', $filename);
     657
     658    // Return if only one extension
     659    if ( count($parts) <= 2 )
     660        return apply_filters('sanitize_file_name', $filename, $filename_raw);
     661
     662    // Process multiple extensions
     663    $filename = array_shift($parts);
     664    $extension = array_pop($parts);
     665    $mimes = get_allowed_mime_types();
     666
     667    // Loop over any intermediate extensions.  Munge them with a trailing underscore if they are a 2 - 5 character
     668    // long alpha string not in the extension whitelist.
     669    foreach ( (array) $parts as $part) {
     670        $filename .= '.' . $part;
     671       
     672        if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
     673            $allowed = false;
     674            foreach ( $mimes as $ext_preg => $mime_match ) {
     675                $ext_preg = '!(^' . $ext_preg . ')$!i';
     676                if ( preg_match( $ext_preg, $part ) ) {
     677                    $allowed = true;
     678                    break;
     679                }
     680            }
     681            if ( !$allowed )
     682                $filename .= '_';
     683        }
     684    }
     685    $filename .= '.' . $extension;
     686
    654687    return apply_filters('sanitize_file_name', $filename, $filename_raw);
    655688}
  • trunk/wp-includes/functions.php

    r12164 r12165  
    22612261 */
    22622262function wp_check_filetype( $filename, $mimes = null ) {
    2263     // Accepted MIME types are set here as PCRE unless provided.
    2264     $mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( 'upload_mimes', array(
     2263    if ( null === $mimes )
     2264        $mimes = get_allowed_mime_types();
     2265    $type = false;
     2266    $ext = false;
     2267
     2268    foreach ( $mimes as $ext_preg => $mime_match ) {
     2269        $ext_preg = '!\.(' . $ext_preg . ')$!i';
     2270        if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
     2271            $type = $mime_match;
     2272            $ext = $ext_matches[1];
     2273            break;
     2274        }
     2275    }
     2276
     2277    return compact( 'ext', 'type' );
     2278}
     2279
     2280/**
     2281 * Retrieve list of allowed mime types and file extensions.
     2282 *
     2283 * @since 2.8.6
     2284 *
     2285 * @return array Array of mime types keyed by the file extension regex corresponding to those types.
     2286 */
     2287function get_allowed_mime_types() {
     2288    static $mimes = false;
     2289
     2290    if ( !$mimes ) {
     2291        // Accepted MIME types are set here as PCRE unless provided.
     2292        $mimes = apply_filters( 'upload_mimes', array(
    22652293        'jpg|jpeg|jpe' => 'image/jpeg',
    22662294        'gif' => 'image/gif',
     
    23082336        'odb' => 'application/vnd.oasis.opendocument.database',
    23092337        'odf' => 'application/vnd.oasis.opendocument.formula',
    2310         )
    2311     );
    2312 
    2313     $type = false;
    2314     $ext = false;
    2315 
    2316     foreach ( $mimes as $ext_preg => $mime_match ) {
    2317         $ext_preg = '!\.(' . $ext_preg . ')$!i';
    2318         if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
    2319             $type = $mime_match;
    2320             $ext = $ext_matches[1];
    2321             break;
    2322         }
    2323     }
    2324 
    2325     return compact( 'ext', 'type' );
    2326 }
    2327 
     2338        ) );
     2339    }
     2340
     2341    return $mimes;
     2342}
    23282343/**
    23292344 * Retrieve nonce action "Are you sure" message.
Note: See TracChangeset for help on using the changeset viewer.