Make WordPress Core

Changeset 44292


Ignore:
Timestamp:
12/18/2018 04:34:17 PM (6 years ago)
Author:
desrosj
Message:

Media: Improve verification of MIME file types.

Merges [43988] to trunk.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/src/wp-includes/functions.php

    r43658 r44292  
    25462546        finfo_close( $finfo );
    25472547
     2548        // fileinfo often misidentifies obscure files as one of these types
     2549        $nonspecific_types = array(
     2550            'application/octet-stream',
     2551            'application/encrypted',
     2552            'application/CDFV2-encrypted',
     2553            'application/zip',
     2554        );
     2555
    25482556        /*
    2549          * If $real_mime doesn't match what we're expecting, we need to do some extra
    2550          * vetting of application mime types to make sure this type of file is allowed.
    2551          * Other mime types are assumed to be safe, but should be considered unverified.
     2557         * If $real_mime doesn't match the content type we're expecting from the file's extension,
     2558         * we need to do some additional vetting. Media types and those listed in $nonspecific_types are
     2559         * allowed some leeway, but anything else must exactly match the real content type.
    25522560         */
    2553         if ( $real_mime && ( $real_mime !== $type ) && ( 0 === strpos( $real_mime, 'application' ) ) ) {
    2554             $allowed = get_allowed_mime_types();
    2555 
    2556             if ( ! in_array( $real_mime, $allowed ) ) {
     2561        if ( in_array( $real_mime, $nonspecific_types, true ) ) {
     2562            // File is a non-specific binary type. That's ok if it's a type that generally tends to be binary.
     2563            if ( ! in_array( substr( $type, 0, strcspn( $type, '/' ) ), array( 'application', 'video', 'audio' ) ) ) {
    25572564                $type = $ext = false;
    25582565            }
     2566        } elseif ( 0 === strpos( $real_mime, 'video/' ) || 0 === strpos( $real_mime, 'audio/' ) ) {
     2567            /*
     2568             * For these types, only the major type must match the real value.
     2569             * This means that common mismatches are forgiven: application/vnd.apple.numbers is often misidentified as application/zip,
     2570             * and some media files are commonly named with the wrong extension (.mov instead of .mp4)
     2571             */
     2572
     2573            if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) {
     2574                $type = $ext = false;
     2575            }
     2576        } else {
     2577            if ( $type !== $real_mime ) {
     2578                /*
     2579                 * Everything else including image/* and application/*:
     2580                 * If the real content type doesn't match the file extension, assume it's dangerous.
     2581                 */
     2582                $type = $ext = false;
     2583            }
     2584        }
     2585    }
     2586
     2587    // The mime type must be allowed
     2588    if ( $type ) {
     2589        $allowed = get_allowed_mime_types();
     2590
     2591        if ( ! in_array( $type, $allowed ) ) {
     2592            $type = $ext = false;
    25592593        }
    25602594    }
  • trunk/tests/phpunit/tests/functions.php

    r43658 r44292  
    13021302                'big5.jpg',
    13031303                array(
    1304                     'ext'             => 'jpg',
    1305                     'type'            => 'image/jpeg',
     1304                    'ext'             => false,
     1305                    'type'            => false,
    13061306                    'proper_filename' => false,
    13071307                ),
     
    13111311                DIR_TESTDATA . '/export/crazy-cdata.xml',
    13121312                'crazy-cdata.xml',
     1313                array(
     1314                    'ext'             => false,
     1315                    'type'            => false,
     1316                    'proper_filename' => false,
     1317                ),
     1318            ),
     1319            // Non-image file not allowed even if it's named like one.
     1320            array(
     1321                DIR_TESTDATA . '/export/crazy-cdata.xml',
     1322                'crazy-cdata.jpg',
     1323                array(
     1324                    'ext'             => false,
     1325                    'type'            => false,
     1326                    'proper_filename' => false,
     1327                ),
     1328            ),
     1329            // Non-image file not allowed if it's named like something else.
     1330            array(
     1331                DIR_TESTDATA . '/export/crazy-cdata.xml',
     1332                'crazy-cdata.doc',
    13131333                array(
    13141334                    'ext'             => false,
Note: See TracChangeset for help on using the changeset viewer.