Opened 12 years ago
Last modified 20 months ago
#21292 assigned defect (bug)
XML-RPC: wp_upload_bits should act like wp_handle_upload
Reported by: | markoheijnen | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.0 |
Component: | XML-RPC | Keywords: | has-patch needs-refresh |
Focuses: | Cc: |
Description (last modified by )
At this moment there isn't a check for file size when uploading an image through the XML-RPC. The reason is that the method wp_upload_bits is used. This only checks it does is if the file size is to big for a network installation.
The function check_upload_size() is something what you want except that it will use wp_die() if there is an error like this. The function is used as a filter: wp_handle_upload_prefilter. Which only get applied in the function wp_handle_upload.
We should probably change check_upload_size() a bit so it doesn't use wp_die() but does it somewhere else.
Attachments (4)
Change History (34)
#4
@
12 years ago
Finding a way to add https://github.com/daniloercoli/WordPress-streaming-xml-rpc in the new media method. And when it works well in 3.5 also add it in 3.6 for the current one.
#5
@
12 years ago
Just a weird thought. Would it make sense to fake a $_FILES array to pass through wp_handle_upload(). By using the code of Danilo to store the image localy that would make sense.
Other solution is not using it and fix wp_upload_bits(). Looking again to it and they should both do the same thing. The only difference is the input and how to act on that.
#7
@
12 years ago
- Description modified (diff)
- Summary changed from Using wp_handle_upload in the XML-RPC to XML-RPC: wp_upload_bits should act like wp_handle_upload
Added a new patch that checks if a user can upload any file.
#8
@
12 years ago
Removed wp_check_filetype in the beginning of wp_upload_bits() and added wp_check_filetype_and_ext in the end.
In this way you can manage the check trough the 4th parameter. (copied and edited the code from #11946)
The only bad part is the need of unlink on error since you need to upload the image.
#13
@
12 years ago
- Owner set to westi
- Status changed from new to assigned
Two remaining issues:
- wp_upload_bits() does not use wp_check_filetype_and_ext().
- wp_upload_bits() does not consult check_upload_size().
westi, your call for 3.5 or punt.
#14
@
12 years ago
- Keywords 3.6-early added
- Milestone changed from 3.5 to Future Release
I think we should punt this from 3.5 and come back in 3.6 to resolve those two issues.
#16
@
12 years ago
Well for me this is -1. Totally understand why people don't want to contribute on regular basis because of this.
I tried multiple times to get feedback on my latest patch but never gotten one.
#17
@
12 years ago
1) It's a significant patch with quite a bit of changes, and a lot of potential to break things.
2) There were more pressing changes in XML-RPC, image handling, and the upload APIs for 3.5. Most of that, you participated in.
3) It has no unit tests.
4) It is not a regression, and can easily be traced back to 3.0 — when MU was merged and wp_check_filetype_and_ext() was introduced.
Overall, we're looking at a low priority fix for a low priority ticket. It'll get addressed in a future release. It would be good if more people reviewed it — but the fact that no one did is more indicative of it being a low priority than something that got lost.
#18
@
12 years ago
- Keywords 3.6-early removed
- Milestone changed from Future Release to 3.6
- Version changed from 1.5 to 3.0
Yes, all those issues you can track back to 3.0 since this function didn't changed then.
It is however a high priority ticket since it can effect people badly (no disk space) and it shouldn't matter if no one did reviewed it or had see this issues.
It does has some unit tests but only indirectly through the XML-RPC method unit tests. I will write some more unit tests for it and refresh the patch this week.
#19
@
11 years ago
- Keywords 3.7-early added; dev-feedback removed
- Milestone changed from 3.6 to Future Release
#22
@
11 years ago
- Keywords 3.7-early removed
- Milestone changed from 3.7 to 3.8
Punting to 3.8 but I marked this on my todo list with high priority ;)
#23
@
11 years ago
- Keywords 3.9-early added
- Milestone changed from 3.8 to Future Release
Didn't had time to really look into this. Will tackle this in the next weeks but to late for 3.8
#25
@
9 years ago
- Keywords 3.9-early removed
- Milestone changed from Future Release to Awaiting Review
- Owner westi deleted
#26
@
9 years ago
r34577 fails all multisite unit tests, see https://travis-ci.org/aaronjorbin/develop.wordpress/builds/82269676
There was 1 failure: 1) Tests_XMLRPC_wp_uploadFile::test_network_limit Failed asserting that Array (...) is an instance of class "IXR_Error". /home/travis/build/aaronjorbin/develop.wordpress/tests/phpunit/tests/xmlrpc/wp/uploadFile.php:53
#28
@
9 years ago
The test has to come out - the reason it had been removed in [30530] was that the test has never passed. It'll only pass once the issue raised in this ticket is resolved: namely, that wp_upload_bits()
enforces multisite upload space restrictions.
Related: #20057