#11946 closed defect (bug) (fixed)
Ensure image MIME type matches extension
Reported by: | Viper007Bond | Owned by: | Viper007Bond |
---|---|---|---|
Milestone: | 4.7.1 | Priority: | normal |
Severity: | minor | Version: | 3.0 |
Component: | Upload | Keywords: | has-patch |
Focuses: | Cc: |
Description
Take a bitmap (BMP) and rename it to .png
. WordPress will say it's an image/png
everywhere you look. This can cause issues if you're trying to manipulate it (thumbnail it, etc.).
We should either fix the extension or reject it.
Attachments (7)
Change History (48)
#2
@
15 years ago
- Summary changed from Ensure MIME type matches extension to Ensure image MIME type matches extension
Above patch fixes the extension. Tested and seems to work great.
#3
@
15 years ago
- Keywords has-patch needs-testing added
- Milestone changed from Unassigned to Future Release
#4
@
15 years ago
This patch requires GD and should therefore be wrapped in if ( function_exists('getimagesize') ) {
. The patch is just a preliminary one though, so I won't bother updating it yet.
#5
@
15 years ago
- Cc ShaneF added
- Keywords tested added; needs-testing removed
I took a "png" renamed it to "gif" (with patch). Uploaded. File was changed to the correct format, but in the editor it still says "File type: image/gif". Perhaps override the file type as well?
#6
follow-up:
↓ 7
@
15 years ago
- Milestone changed from Future Release to 2.9.2
This is a potential security problem. Recommending 2.9.2 release fix.
#7
in reply to:
↑ 6
@
15 years ago
Replying to ShaneF:
This is a potential security problem. Recommending 2.9.2 release fix.
I can't think of a way to validate other extensions though, i.e. say a EXE uploaded as an AVI.
#8
follow-up:
↓ 9
@
15 years ago
Don't we have an array already in there that is offering mime-types per extension? I think it's adviseable to use the same datasource here therein the patch as well instead offering duplicate data.
#9
in reply to:
↑ 8
;
follow-up:
↓ 10
@
15 years ago
Replying to hakre:
Don't we have an array already in there that is offering mime-types per extension? I think it's adviseable to use the same datasource here therein the patch as well instead offering duplicate data.
That array (in get_allowed_mime_types()
) is a list of allowed MIMEs that's filterable. It also has multiple extensions to one common MIME. Yes, I guess I could array_flip() it and then pop off the first extension, however I didn't think this was reliable enough due to the filter.
#10
in reply to:
↑ 9
@
15 years ago
Replying to Viper007Bond:
That array (in
get_allowed_mime_types()
) is a list of allowed MIMEs that's filterable. It also has multiple extensions to one common MIME. Yes, I guess I could array_flip() it and then pop off the first extension, however I didn't think this was reliable enough due to the filter.
Actually, I take that back, it could work now that I think of it.
#11
@
15 years ago
Well I did not say that it is fitting per-se, but worth to take a look into it. I mean why duplicate data here? But no idea if it is available in the location you would like to use it. We might need to introduce another filter here (or isn't there already one?!). Might make sense in the one or other way.
#12
@
15 years ago
Now I remember why I just made a new array -- it's the list of image types that the function can identify. No point in using the other array.
#15
@
14 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Should be moved to a helper function and added to the other upload functions (sideload and the bits one).
#17
@
14 years ago
- Priority changed from lowest to normal
Bumping the need for a patch up the importance radar
#19
@
14 years ago
- Keywords has-patch needs-testing added; needs-patch removed
- Status changed from assigned to accepted
11946.4.patch
introduces wp_check_filetype_and_ext()
which does what wp_check_filetype()
does, but then goes on to attempt to validate the type and extension. If it determines that the extension doesn't match what the type truly is, then it'll return proper_filename
as a part of it's returned array.
I've modified the standard upload function, the sideload function, and the bits function to make use of this new function.
I have only tested this using the standard upload process, not sideload or bits.
#21
@
14 years ago
- Milestone changed from 3.0 to 3.1
Viper007Bond and I have thoroughly tested this for sideloads and uploads. Weary about bits, so going to handle that no sooner than 3.1.
#23
@
14 years ago
- Milestone changed from Awaiting Triage to 3.1
Just need to get the existing patch working for bits. Probably would be good for Joseph to take a look.
#27
@
14 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Last bit is needed.
#30
@
11 years ago
- Cc jack@… added
I noticed that you can upload a file with the wrong extension. The function wp_check_filetype_and_ext() in wp-includes/functions.php says that it does this, but it does not. I added a few lines in the above patch that fixes this security bug.
Note, it relies on finfo_file. To make sure that it won't break servers running php < 5.3 I wrapped the code in function_exists().
This ticket was mentioned in IRC in #wordpress-dev by nacin. View the logs.
11 years ago
#32
@
11 years ago
It's better to rename than reject the upload, especially since that's what the other upload functions already do. We should also be as helpful to the user as possible (they're trying to upload a file, why not let them?). My original patch does this: attachment:11946.4.patch
Additionally as @markoheijnen mentions above, #21292 has a patch on it which addresses this ticket. It's based on my patch but uses extract()
(boo!) but ends up accomplishing the same thing. However it also makes some more sweeping changes and there doesn't seem to be much traction on that ticket.
Perhaps it'd be better to just implement the changes as originally suggested in attachment:11946.4.patch and loop back to #21292 at a later point.
#33
@
11 years ago
Sorry about the extract()
part ;). Making decisions based on traction isn't a good way. If we address it then everything should be addressed. We could close that ticket and merge it with this code.
#37
@
8 years ago
Good catch @gitlost. Leftover from debugging. 11946-iscallable.diff fixes this issue.
Potential solution