Changeset 39842 for branches/3.7/src

Timestamp:

01/11/2017 01:21:01 PM (8 years ago)

Author:

joemcgill

Message:

Media: Improve image filetype checking.

This adds a new function wp_get_image_mime() which is used by
wp_check_filetype_and_ext() to validate image files using
exif_imagetype() if available instead of getimagesize().

getimagesize() is less performant than exif_imagetype() and is
dependent on GD. If exif_imagetype() is not available, it falls back to
getimagesize() as before.

If wp_check_filetype_and_ext() can't validate the filetype, we now return
false for ext/MIME values.

Merges [39831] to the 3.7 branch.

Location:

branches/3.7

Files:

• . (modified) (1 prop)
• src (modified) (1 prop)
• src/wp-includes/functions.php (modified) (5 diffs)

branches/3.7/src/wp-includes/functions.php

@@ -1879 +1879 @@
  * then the "proper_filename" value will be set with a proper filename and extension.
  *
- * Currently this function only supports validating images known to getimagesize().
+ * Currently this function only supports renaming images validated via wp_get_image_mime().
  *
  * @since 3.0.0
@@ -1900 +1900 @@
         return compact( 'ext', 'type', 'proper_filename' );
 
-    // We're able to validate images using GD
-    if ( $type && 0 === strpos( $type, 'image/' ) && function_exists('getimagesize') ) {
+    // Validate image types.
+    if ( $type && 0 === strpos( $type, 'image/' ) ) {
 
         // Attempt to figure out what type of image it actually is
-        $imgstats = @getimagesize( $file );
-
-        // If getimagesize() knows what kind of image it really is and if the real MIME doesn't match the claimed MIME
-        if ( !empty($imgstats['mime']) && $imgstats['mime'] != $type ) {
+        $real_mime = wp_get_image_mime( $file );
+
+        if ( ! $real_mime ) {
+            $type = $ext = false;
+        } elseif ( $real_mime != $type ) {
             // This is a simplified array of MIMEs that getimagesize() can detect and their extensions
             // You shouldn't need to use this filter, but it's here just in case
@@ -1919 +1920 @@
 
             // Replace whatever is after the last period in the filename with the correct extension
-            if ( ! empty( $mime_to_ext[ $imgstats['mime'] ] ) ) {
+            if ( ! empty( $mime_to_ext[ $real_mime ] ) ) {
                 $filename_parts = explode( '.', $filename );
                 array_pop( $filename_parts );
-                $filename_parts[] = $mime_to_ext[ $imgstats['mime'] ];
+                $filename_parts[] = $mime_to_ext[ $real_mime ];
                 $new_filename = implode( '.', $filename_parts );
 
@@ -1931 +1932 @@
                 $wp_filetype = wp_check_filetype( $new_filename, $mimes );
                 extract( $wp_filetype );
+            } else {
+                $type = $ext = false;
             }
+        }
+    } elseif ( function_exists( 'finfo_file' ) ) {
+        // Use finfo_file if available to validate non-image files.
+        $finfo = finfo_open( FILEINFO_MIME_TYPE );
+        $real_mime = finfo_file( $finfo, $file );
+        finfo_close( $finfo );
+
+        // If the extension does not match the file's real type, return false.
+        if ( $real_mime !== $type ) {
+            $type = $ext = false;
         }
     }
@@ -1938 +1951 @@
     // Should return an array in the style of array( 'ext' => $ext, 'type' => $type, 'proper_filename' => $proper_filename )
     return apply_filters( 'wp_check_filetype_and_ext', compact( 'ext', 'type', 'proper_filename' ), $file, $filename, $mimes );
+}
+
+/**
+ * Returns the real mime type of an image file.
+ *
+ * This depends on exif_imagetype() or getimagesize() to determine real mime types.
+ *
+ * @since 4.7.1
+ *
+ * @param string $file Full path to the file.
+ * @return string|false The actual mime type or false if the type cannot be determined.
+ */
+function wp_get_image_mime( $file ) {
+    /*
+     * Use exif_imagetype() to check the mimetype if available or fall back to
+     * getimagesize() if exif isn't avaialbe. If either function throws an Exception
+     * we assume the file could not be validated.
+     */
+    try {
+        if ( ! is_callable( 'exif_imagetype' ) ) {
+            $mime = image_type_to_mime_type( exif_imagetype( $file ) );
+        } elseif ( function_exists( 'getimagesize' ) ) {
+            $imagesize = getimagesize( $file );
+            $mime = ( isset( $imagesize['mime'] ) ) ? $imagesize['mime'] : false;
+        } else {
+            $mime = false;
+        }
+    } catch ( Exception $e ) {
+        $mime = false;
+    }
+
+    return $mime;
 }