Changeset 44011
- Timestamp:
- 12/12/2018 11:45:16 PM (5 years ago)
- Location:
- branches/3.8
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/3.8
- Property svn:mergeinfo changed
/branches/5.0 (added) merged: 43988
- Property svn:mergeinfo changed
-
branches/3.8/src/wp-includes/functions.php
r43404 r44011 1969 1969 } 1970 1970 } 1971 } elseif ( function_exists( 'finfo_file' ) ) { 1972 // Use finfo_file if available to validate non-image files. 1971 } 1972 1973 // Validate files that didn't get validated during previous checks. 1974 if ( $type && ! $real_mime && extension_loaded( 'fileinfo' ) ) { 1973 1975 $finfo = finfo_open( FILEINFO_MIME_TYPE ); 1974 1976 $real_mime = finfo_file( $finfo, $file ); 1975 1977 finfo_close( $finfo ); 1976 1978 1977 // If the extension does not match the file's real type, return false. 1978 if ( $real_mime !== $type ) { 1979 // fileinfo often misidentifies obscure files as one of these types 1980 $nonspecific_types = array( 1981 'application/octet-stream', 1982 'application/encrypted', 1983 'application/CDFV2-encrypted', 1984 'application/zip', 1985 ); 1986 1987 /* 1988 * If $real_mime doesn't match the content type we're expecting from the file's extension, 1989 * we need to do some additional vetting. Media types and those listed in $nonspecific_types are 1990 * allowed some leeway, but anything else must exactly match the real content type. 1991 */ 1992 if ( in_array( $real_mime, $nonspecific_types, true ) ) { 1993 // File is a non-specific binary type. That's ok if it's a type that generally tends to be binary. 1994 if ( !in_array( substr( $type, 0, strcspn( $type, '/' ) ), array( 'application', 'video', 'audio' ) ) ) { 1995 $type = $ext = false; 1996 } 1997 } elseif ( 0 === strpos( $real_mime, 'video/' ) || 0 === strpos( $real_mime, 'audio/' ) ) { 1998 /* 1999 * For these types, only the major type must match the real value. 2000 * This means that common mismatches are forgiven: application/vnd.apple.numbers is often misidentified as application/zip, 2001 * and some media files are commonly named with the wrong extension (.mov instead of .mp4) 2002 */ 2003 2004 if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) { 2005 $type = $ext = false; 2006 } 2007 } else { 2008 if ( $type !== $real_mime ) { 2009 /* 2010 * Everything else including image/* and application/*: 2011 * If the real content type doesn't match the file extension, assume it's dangerous. 2012 */ 2013 $type = $ext = false; 2014 } 2015 2016 } 2017 } 2018 2019 // The mime type must be allowed 2020 if ( $type ) { 2021 $allowed = get_allowed_mime_types(); 2022 2023 if ( ! in_array( $type, $allowed ) ) { 1979 2024 $type = $ext = false; 1980 2025 }
Note: See TracChangeset
for help on using the changeset viewer.