Make WordPress Core

Opened 14 years ago

Closed 14 years ago

#15916 closed enhancement (fixed)

Please add .ics to security guidelines' "whitelist."

Reported by: janas's profile janas Owned by: westi's profile westi
Milestone: 3.2 Priority: lowest
Severity: minor Version: 3.1
Component: Upload Keywords: has-patch
Focuses: Cc:

Description

I upload files (usually images for display, sometimes PDFs for download) either from the WordPress dashboard ("Add New Media" on left column), or from the "Add Media" button while editing a page ("Upload/Insert" above the editing box).

The uploader uploads my ICS (iCal Export) file, then says in red: "File type does not meet security guidelines. Try another."

I want to be able to upload our ICS file, for our fans to download and import into their calendars if they choose. Personally, I frequently download ICS files from Facebook event pages and other sources for import into my own iCal—as a fan I find quite a handy time-saver.

ICS files are not executables, so I don't know that they could be used maliciously.

Thank you.

Attachments (1)

15916.patch (434 bytes) - added by SergeyBiryukov 14 years ago.

Download all attachments as: .zip

Change History (10)

#1 @janas
14 years ago

  • Cc janas added

#2 @nacin
14 years ago

  • Keywords needs-patch added; .ics iCal calendar file export upload download security guidelines whitelist removed
  • Milestone changed from Awaiting Review to Future Release
  • Type changed from defect (bug) to enhancement

Plugin in the meantime: http://wordpress.org/extend/plugins/pjw-mime-config/, or disable filtered uploads if you trust all of your users.

#3 @SergeyBiryukov
14 years ago

  • Keywords has-patch added; needs-patch removed

#4 @westi
14 years ago

  • Component changed from Security to Upload
  • Keywords 3.2-early added
  • Owner changed from janas to westi
  • Status changed from new to reviewing

#5 follow-up: @aaroncampbell
14 years ago

There's a really simple fix for this:

function allow_new_filetypes( $mimes ) {
	$mimes['ics'] = 'text/calendar';
	return $mimes;
}

add_filter( 'upload_mimes', 'allow_new_filetypes' );

You can put that in your theme's functions.php file, or put it in a file and drop it in your mu-plugins folder.

Last edited 14 years ago by aaroncampbell (previous) (diff)

#6 in reply to: ↑ 5 @westi
14 years ago

Replying to aaroncampbell:

There's a really simple fix for this:

function allow_new_filetypes( $mimes ) {
	$mimes['ics'] = 'text/calendar';
}

add_filter( 'upload_mimes', 'allow_new_filetypes' );

You can put that in your theme's functions.php file, or put it in a file and drop it in your mu-plugins folder.

Don't forget the:

return $mimes

At the end of the function

#7 @aaroncampbell
14 years ago

Thanks Westi. I can't believe I left it off (guess that's what you get when you just type the code here in the ticket rather than testing it first). I updated my code above in case anyone tries to copy/paste.

#8 @westi
14 years ago

  • Keywords 3.2-early removed
  • Milestone changed from Future Release to 3.2
  • Priority changed from normal to lowest
  • Severity changed from normal to minor
  • Version set to 3.1

#9 @westi
14 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In [18091]:

Add .ics / text/calendar to the whitelist of allowed file types. Fixes #15916 props SergeyBiryukov

Note: See TracTickets for help on using tickets.