WordPress.org

Make WordPress Core

Changeset 12166


Ignore:
Timestamp:
11/11/2009 11:10:13 PM (11 years ago)
Author:
ryan
Message:

Sanitize filenames with multiple extensions. see #11122

Location:
branches/2.8/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/2.8/wp-includes/formatting.php

    r12073 r12166  
    606606    $filename = preg_replace('/[\s-]+/', '-', $filename);
    607607    $filename = trim($filename, '.-_');
     608
     609    // Split the filename into a base and extension[s]
     610    $parts = explode('.', $filename);
     611
     612    // Return if only one extension
     613    if ( count($parts) <= 2 )
     614        return apply_filters('sanitize_file_name', $filename, $filename_raw);
     615
     616    // Process multiple extensions
     617    $filename = array_shift($parts);
     618    $extension = array_pop($parts);
     619    $mimes = get_allowed_mime_types();
     620
     621    // Loop over any intermediate extensions.  Munge them with a trailing underscore if they are a 2 - 5 character
     622    // long alpha string not in the extension whitelist.
     623    foreach ( (array) $parts as $part) {
     624        $filename .= '.' . $part;
     625       
     626        if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
     627            $allowed = false;
     628            foreach ( $mimes as $ext_preg => $mime_match ) {
     629                $ext_preg = '!(^' . $ext_preg . ')$!i';
     630                if ( preg_match( $ext_preg, $part ) ) {
     631                    $allowed = true;
     632                    break;
     633                }
     634            }
     635            if ( !$allowed )
     636                $filename .= '_';
     637        }
     638    }
     639    $filename .= '.' . $extension;
     640
    608641    return apply_filters('sanitize_file_name', $filename, $filename_raw);
    609642}
  • branches/2.8/wp-includes/functions.php

    r11678 r12166  
    22272227 */
    22282228function wp_check_filetype( $filename, $mimes = null ) {
    2229     // Accepted MIME types are set here as PCRE unless provided.
    2230     $mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( 'upload_mimes', array(
     2229    if ( null === $mimes )
     2230        $mimes = get_allowed_mime_types();
     2231    $type = false;
     2232    $ext = false;
     2233
     2234    foreach ( $mimes as $ext_preg => $mime_match ) {
     2235        $ext_preg = '!\.(' . $ext_preg . ')$!i';
     2236        if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
     2237            $type = $mime_match;
     2238            $ext = $ext_matches[1];
     2239            break;
     2240        }
     2241    }
     2242
     2243    return compact( 'ext', 'type' );
     2244}
     2245
     2246/**
     2247 * Retrieve list of allowed mime types and file extensions.
     2248 *
     2249 * @since 2.8.6
     2250 *
     2251 * @return array Array of mime types keyed by the file extension regex corresponding to those types.
     2252 */
     2253function get_allowed_mime_types() {
     2254    static $mimes = false;
     2255
     2256    if ( !$mimes ) {
     2257        // Accepted MIME types are set here as PCRE unless provided.
     2258        $mimes = apply_filters( 'upload_mimes', array(
    22312259        'jpg|jpeg|jpe' => 'image/jpeg',
    22322260        'gif' => 'image/gif',
     
    22742302        'odb' => 'application/vnd.oasis.opendocument.database',
    22752303        'odf' => 'application/vnd.oasis.opendocument.formula',
    2276         )
    2277     );
    2278 
    2279     $type = false;
    2280     $ext = false;
    2281 
    2282     foreach ( $mimes as $ext_preg => $mime_match ) {
    2283         $ext_preg = '!\.(' . $ext_preg . ')$!i';
    2284         if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
    2285             $type = $mime_match;
    2286             $ext = $ext_matches[1];
    2287             break;
    2288         }
    2289     }
    2290 
    2291     return compact( 'ext', 'type' );
    2292 }
    2293 
     2304        ) );
     2305    }
     2306
     2307    return $mimes;
     2308}
    22942309/**
    22952310 * Retrieve nonce action "Are you sure" message.
Note: See TracChangeset for help on using the changeset viewer.