Changeset 44443

Timestamp:

01/07/2019 10:22:03 PM (6 years ago)

Author:

joemcgill

Message:

Upload: Fix upload failures of common text file types.

This adds some special case handling in 'wp_check_filetype_and_ext()' that prevents some common file types from being blocked based on mismatched MIME checks, which were made more strict in WordPress 5.0.1.

Merges [44438], [44439], [44441], and [44442] to the 4.9 branch.

Props Kloon, birgire, tellyworth, joemcgill.
See #45615.

Location:

branches/5.0

Files:

• . (modified) (1 prop)
• src/wp-includes/functions.php (modified) (1 diff)
• tests/phpunit/data/uploads/test.csv (copied) (copied from trunk/tests/phpunit/data/uploads/test.csv)
• tests/phpunit/data/uploads/test.dfxp (copied) (copied from trunk/tests/phpunit/data/uploads/test.dfxp)
• tests/phpunit/data/uploads/test.rtf (copied) (copied from trunk/tests/phpunit/data/uploads/test.rtf)
• tests/phpunit/data/uploads/test.tsv (copied) (copied from trunk/tests/phpunit/data/uploads/test.tsv)
• tests/phpunit/data/uploads/test.vtt (copied) (copied from trunk/tests/phpunit/data/uploads/test.vtt)
• tests/phpunit/tests/functions.php (modified) (2 diffs)

branches/5.0/src/wp-includes/functions.php

@@ -2374 +2374 @@
              * and some media files are commonly named with the wrong extension (.mov instead of .mp4)
              */
-
             if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) {
+                $type = $ext = false;
+            }
+        } elseif ( 'text/plain' === $real_mime ) {
+            // A few common file types are occasionally detected as text/plain; allow those.
+            if ( ! in_array(
+                $type,
+                array(
+                    'text/plain',
+                    'text/csv',
+                    'text/richtext',
+                    'text/tsv',
+                    'text/vtt',
+                )
+            )
+            ) {
+                $type = $ext = false;
+            }
+        } elseif ( 'text/rtf' === $real_mime ) {
+            // Special casing for RTF files.
+            if ( ! in_array(
+                $type,
+                array(
+                    'text/rtf',
+                    'text/plain',
+                    'application/rtf',
+                )
+            )
+            ) {
                 $type = $ext = false;
             }

branches/5.0/tests/phpunit/tests/functions.php

@@ -1073 +1073 @@
 
     /**
-     * Data profider for test_wp_get_image_mime();
+     * Data provider for test_wp_get_image_mime();
      */
     public function _wp_get_image_mime() {
@@ -1179 +1179 @@
                 ),
             ),
+            // Non-image file not allowed even if it's named like one.
+            array(
+                DIR_TESTDATA . '/export/crazy-cdata.xml',
+                'crazy-cdata.jpg',
+                array(
+                    'ext'             => false,
+                    'type'            => false,
+                    'proper_filename' => false,
+                ),
+            ),
+            // Non-image file not allowed if it's named like something else.
+            array(
+                DIR_TESTDATA . '/export/crazy-cdata.xml',
+                'crazy-cdata.doc',
+                array(
+                    'ext'             => false,
+                    'type'            => false,
+                    'proper_filename' => false,
+                ),
+            ),
         );
 
         // Test a few additional file types on single sites.
         if ( ! is_multisite() ) {
-            $data = array_merge( $data, array(
-                // Standard non-image file.
+            $data = array_merge(
+                $data,
                 array(
-                    DIR_TESTDATA . '/formatting/big5.txt',
-                    'big5.txt',
+                    // Standard non-image file.
                     array(
-                        'ext' => 'txt',
-                        'type' => 'text/plain',
-                        'proper_filename' => false,
+                        DIR_TESTDATA . '/formatting/big5.txt',
+                        'big5.txt',
+                        array(
+                            'ext' => 'txt',
+                            'type' => 'text/plain',
+                            'proper_filename' => false,
+                        ),
                     ),
-                ),
-                // Non-image file with wrong sub-type.
-                array(
-                    DIR_TESTDATA . '/uploads/pages-to-word.docx',
-                    'pages-to-word.docx',
+                    // Non-image file with wrong sub-type.
                     array(
-                        'ext' => 'docx',
-                        'type' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
-                        'proper_filename' => false,
+                        DIR_TESTDATA . '/uploads/pages-to-word.docx',
+                        'pages-to-word.docx',
+                        array(
+                            'ext' => 'docx',
+                            'type' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+                            'proper_filename' => false,
+                        ),
                     ),
-                ),
-                // FLAC file.
-                array(
-                    DIR_TESTDATA . '/uploads/small-audio.flac',
-                    'small-audio.flac',
+                    // FLAC file.
                     array(
-                        'ext' => 'flac',
-                        'type' => 'audio/flac',
-                        'proper_filename' => false,
+                        DIR_TESTDATA . '/uploads/small-audio.flac',
+                        'small-audio.flac',
+                        array(
+                            'ext' => 'flac',
+                            'type' => 'audio/flac',
+                            'proper_filename' => false,
+                        ),
                     ),
-                ),
-            ) );
+                    // Assorted text/* sample files
+                    array(
+                        DIR_TESTDATA . '/uploads/test.vtt',
+                        'test.vtt',
+                        array(
+                            'ext'             => 'vtt',
+                            'type'            => 'text/vtt',
+                            'proper_filename' => false,
+                        ),
+                    ),
+                    array(
+                        DIR_TESTDATA . '/uploads/test.csv',
+                        'test.csv',
+                        array(
+                            'ext'             => 'csv',
+                            'type'            => 'text/csv',
+                            'proper_filename' => false,
+                        ),
+                    ),
+                    // RTF files.
+                    array(
+                        DIR_TESTDATA . '/uploads/test.rtf',
+                        'test.rtf',
+                        array(
+                            'ext'             => 'rtf',
+                            'type'            => 'application/rtf',
+                            'proper_filename' => false,
+                        ),
+                    ),
+                )
+            );
         }