get_allowed_mime_types() does not return correct data
|Reported by:||MungoBBQ||Owned by:|
I am the developer of the "Enable Media Replace" plugin. A while back, my plugin was flagged as "insecure" by a couple of online watchlists, since the plugin did not check what files were uploaded to replace files. A user could then upload a .php-file and execute it. Bad idea.
So I had to resort to using get_allowed_mime_types() to check for an allowed MIME type before writing an uploaded file to disk. It works fine, except get_allowed_mime_types does not include MIME types added by a filter such as "add_filter('upload_mimes', 'addUploadMimes');"
See http://wordpress.org/support/topic/plugin-enable-media-replace-file-type-does-not-meet-security-guidelines for a discussion with some users experiencing problems.
I suggest that the function "get_allowed_mime_types" should return ALL allowed MIME types - including those added by a filter in functions.php or a plugin.