WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#15916 closed enhancement (fixed)

Please add .ics to security guidelines' "whitelist."

Reported by: janas Owned by: westi
Milestone: 3.2 Priority: lowest
Severity: minor Version: 3.1
Component: Upload Keywords: has-patch
Focuses: Cc:

Description

I upload files (usually images for display, sometimes PDFs for download) either from the WordPress dashboard ("Add New Media" on left column), or from the "Add Media" button while editing a page ("Upload/Insert" above the editing box).

The uploader uploads my ICS (iCal Export) file, then says in red: "File type does not meet security guidelines. Try another."

I want to be able to upload our ICS file, for our fans to download and import into their calendars if they choose. Personally, I frequently download ICS files from Facebook event pages and other sources for import into my own iCal—as a fan I find quite a handy time-saver.

ICS files are not executables, so I don't know that they could be used maliciously.

Thank you.

Attachments (1)

15916.patch (434 bytes) - added by SergeyBiryukov 5 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 @janas5 years ago

  • Cc janas added

comment:2 @nacin5 years ago

  • Keywords needs-patch added; .ics iCal calendar file export upload download security guidelines whitelist removed
  • Milestone changed from Awaiting Review to Future Release
  • Type changed from defect (bug) to enhancement

Plugin in the meantime: http://wordpress.org/extend/plugins/pjw-mime-config/, or disable filtered uploads if you trust all of your users.

@SergeyBiryukov5 years ago

comment:3 @SergeyBiryukov5 years ago

  • Keywords has-patch added; needs-patch removed

comment:4 @westi5 years ago

  • Component changed from Security to Upload
  • Keywords 3.2-early added
  • Owner changed from janas to westi
  • Status changed from new to reviewing

comment:5 follow-up: @aaroncampbell4 years ago

There's a really simple fix for this:

function allow_new_filetypes( $mimes ) {
	$mimes['ics'] = 'text/calendar';
}

add_filter( 'upload_mimes', 'allow_new_filetypes' );

You can put that in your theme's functions.php file, or put it in a file and drop it in your mu-plugins folder.

Version 0, edited 4 years ago by aaroncampbell (next)

comment:6 in reply to: ↑ 5 @westi4 years ago

Replying to aaroncampbell:

There's a really simple fix for this:

function allow_new_filetypes( $mimes ) {
	$mimes['ics'] = 'text/calendar';
}

add_filter( 'upload_mimes', 'allow_new_filetypes' );

You can put that in your theme's functions.php file, or put it in a file and drop it in your mu-plugins folder.

Don't forget the:

return $mimes

At the end of the function

comment:7 @aaroncampbell4 years ago

Thanks Westi. I can't believe I left it off (guess that's what you get when you just type the code here in the ticket rather than testing it first). I updated my code above in case anyone tries to copy/paste.

comment:8 @westi4 years ago

  • Keywords 3.2-early removed
  • Milestone changed from Future Release to 3.2
  • Priority changed from normal to lowest
  • Severity changed from normal to minor
  • Version set to 3.1

comment:9 @westi4 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In [18091]:

Add .ics / text/calendar to the whitelist of allowed file types. Fixes #15916 props SergeyBiryukov

Note: See TracTickets for help on using tickets.