WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#17454 closed defect (bug) (invalid)

get_allowed_mime_types() does not return correct data

Reported by: MungoBBQ Owned by:
Milestone: Priority: normal
Severity: major Version: 3.1.2
Component: General Keywords:
Focuses: Cc:

Description

Hello,

I am the developer of the "Enable Media Replace" plugin. A while back, my plugin was flagged as "insecure" by a couple of online watchlists, since the plugin did not check what files were uploaded to replace files. A user could then upload a .php-file and execute it. Bad idea.

So I had to resort to using get_allowed_mime_types() to check for an allowed MIME type before writing an uploaded file to disk. It works fine, except get_allowed_mime_types does not include MIME types added by a filter such as "add_filter('upload_mimes', 'addUploadMimes');"

See http://wordpress.org/support/topic/plugin-enable-media-replace-file-type-does-not-meet-security-guidelines for a discussion with some users experiencing problems.

I suggest that the function "get_allowed_mime_types" should return ALL allowed MIME types - including those added by a filter in functions.php or a plugin.

Change History (1)

comment:1 duck_3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

get_allowed_mime_types() *is* where the upload_mimes filter is applied. Dumping the results of the function call after adding a filter works fine for me.

I think it's your usage of the function:

if (!in_array($new_filetype, $allowed_mime_types))

That means that the uploaded file type has to be application/octet-stream. Again this seems insecure. You should probably use wp_check_file_type_and_ext() or wp_handle_upload(), don't really know enough about the use case to be sure.

Version 0, edited 3 years ago by duck_ (next)
Note: See TracTickets for help on using tickets.