get_allowed_mime_types() does not return correct data

[MungoBBQ]

Hello,

I am the developer of the "Enable Media Replace" plugin. A while back, my plugin was flagged as "insecure" by a couple of online watchlists, since the plugin did not check what files were uploaded to replace files. A user could then upload a .php-file and execute it. Bad idea.

So I had to resort to using get_allowed_mime_types() to check for an allowed MIME type before writing an uploaded file to disk. It works fine, except get_allowed_mime_types does not include MIME types added by a filter such as "add_filter('upload_mimes', 'addUploadMimes');"

See ​http://wordpress.org/support/topic/plugin-enable-media-replace-file-type-does-not-meet-security-guidelines for a discussion with some users experiencing problems.

I suggest that the function "get_allowed_mime_types" should return ALL allowed MIME types - including those added by a filter in functions.php or a plugin.

[duck_]

get_allowed_mime_types() *is* where the upload_mimes filter is applied. Dumping the results of the function call after adding a filter works fine for me.

I think it's your usage of the function:

if (!in_array($new_filetype, $allowed_mime_types))

That means that the uploaded file type has to be application/octet-stream for the example filter in the thread you linked to which adds support for pub|psd|rdf. Or for a default, inbuilt file type like .docx it would have to be application/vnd.openxmlformats-officedocument.wordprocessingml which one of the other users posting had trouble with. I assume that the browsers aren't specifying these as the types. This still seems insecure. You should probably use wp_check_file_type_and_ext() or wp_handle_upload(), don't really know enough about the use case to be sure.