Changeset 43991 for branches/4.7/src/wp-includes/functions.php
- Timestamp:
- 12/12/2018 11:04:17 PM (6 years ago)
- Location:
- branches/4.7
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/4.7
- Property svn:mergeinfo changed
/branches/5.0 (added) merged: 43988
- Property svn:mergeinfo changed
-
branches/4.7/src/wp-includes/functions.php
r43395 r43991 2333 2333 finfo_close( $finfo ); 2334 2334 2335 // fileinfo often misidentifies obscure files as one of these types 2336 $nonspecific_types = array( 2337 'application/octet-stream', 2338 'application/encrypted', 2339 'application/CDFV2-encrypted', 2340 'application/zip', 2341 ); 2342 2335 2343 /* 2336 * If $real_mime doesn't match what we're expecting, we need to do some extra2337 * vetting of application mime types to make sure this type of file is allowed.2338 * Other mime types are assumed to be safe, but should be considered unverified.2344 * If $real_mime doesn't match the content type we're expecting from the file's extension, 2345 * we need to do some additional vetting. Media types and those listed in $nonspecific_types are 2346 * allowed some leeway, but anything else must exactly match the real content type. 2339 2347 */ 2340 if ( $real_mime && ( $real_mime !== $type ) && ( 0 === strpos( $real_mime, 'application' ) ) ) { 2341 $allowed = get_allowed_mime_types(); 2342 2343 if ( ! in_array( $real_mime, $allowed ) ) { 2348 if ( in_array( $real_mime, $nonspecific_types, true ) ) { 2349 // File is a non-specific binary type. That's ok if it's a type that generally tends to be binary. 2350 if ( !in_array( substr( $type, 0, strcspn( $type, '/' ) ), array( 'application', 'video', 'audio' ) ) ) { 2344 2351 $type = $ext = false; 2345 2352 } 2353 } elseif ( 0 === strpos( $real_mime, 'video/' ) || 0 === strpos( $real_mime, 'audio/' ) ) { 2354 /* 2355 * For these types, only the major type must match the real value. 2356 * This means that common mismatches are forgiven: application/vnd.apple.numbers is often misidentified as application/zip, 2357 * and some media files are commonly named with the wrong extension (.mov instead of .mp4) 2358 */ 2359 2360 if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) { 2361 $type = $ext = false; 2362 } 2363 } else { 2364 if ( $type !== $real_mime ) { 2365 /* 2366 * Everything else including image/* and application/*: 2367 * If the real content type doesn't match the file extension, assume it's dangerous. 2368 */ 2369 $type = $ext = false; 2370 } 2371 2372 } 2373 } 2374 2375 // The mime type must be allowed 2376 if ( $type ) { 2377 $allowed = get_allowed_mime_types(); 2378 2379 if ( ! in_array( $type, $allowed ) ) { 2380 $type = $ext = false; 2346 2381 } 2347 2382 }
Note: See TracChangeset
for help on using the changeset viewer.