Make WordPress Core


Ignore:
Timestamp:
02/27/2017 07:27:58 PM (8 years ago)
Author:
joemcgill
Message:

Media: Reduce failing uploads following 4.7.1.

[39831] introduced more strict MIME type checking for uploads, which
resulted in unintetionally blocking several filetypes that were
previously valid. This change uses a more targeted approach to MIME
validation to restore previous behavior for most types.

Props blobfolio, iandunn, ipstenu, markoheijnen, xknown, joemcgill.
Merges [40124] and [40125] to the 4.7 branch.
Fixes #39550, #39552.

Location:
branches/4.7
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-includes/functions.php

    r40085 r40134  
    22692269    }
    22702270
     2271    $real_mime = false;
     2272
    22712273    // Validate image types.
    22722274    if ( $type && 0 === strpos( $type, 'image/' ) ) {
     
    22752277        $real_mime = wp_get_image_mime( $file );
    22762278
    2277         if ( ! $real_mime ) {
    2278             $type = $ext = false;
    2279         } elseif ( $real_mime != $type ) {
     2279        if ( $real_mime && $real_mime != $type ) {
    22802280            /**
    22812281             * Filters the list mapping image mime types to their respective extensions.
     
    23082308                $type = $wp_filetype['type'];
    23092309            } else {
    2310                 $type = $ext = false;
     2310                // Reset $real_mime and try validating again.
     2311                $real_mime = false;
    23112312            }
    23122313        }
    2313     } elseif ( function_exists( 'finfo_file' ) ) {
    2314         // Use finfo_file if available to validate non-image files.
     2314    }
     2315
     2316    // Validate files that didn't get validated during previous checks.
     2317    if ( $type && ! $real_mime && extension_loaded( 'fileinfo' ) ) {
    23152318        $finfo = finfo_open( FILEINFO_MIME_TYPE );
    23162319        $real_mime = finfo_file( $finfo, $file );
    23172320        finfo_close( $finfo );
    23182321
    2319         // If the extension does not match the file's real type, return false.
    2320         if ( $real_mime !== $type ) {
    2321             $type = $ext = false;
     2322        /*
     2323         * If $real_mime doesn't match what we're expecting, we need to do some extra
     2324         * vetting of application mime types to make sure this type of file is allowed.
     2325         * Other mime types are assumed to be safe, but should be considered unverified.
     2326         */
     2327        if ( $real_mime && ( $real_mime !== $type ) && ( 0 === strpos( $real_mime, 'application' ) ) ) {
     2328            $allowed = get_allowed_mime_types();
     2329
     2330            if ( ! in_array( $real_mime, $allowed ) ) {
     2331                $type = $ext = false;
     2332            }
    23222333        }
    23232334    }
Note: See TracChangeset for help on using the changeset viewer.