Opened 10 years ago
Last modified 2 years ago
#30377 reopened enhancement
wp_check_filetype is broken when checking urls with parameters
Reported by: | supercleanse | Owned by: | audrasjb |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | 4.0 |
Component: | Media | Keywords: | has-unit-tests needs-dev-note needs-patch |
Focuses: | Cc: |
Description
The function in ./wp-includes/media.php named wp_check_filetype has a bug.
It works properly when checking a url such as http://example.org/coolfile.mp4 but as soon as you add parameters to it (a common practice when attempting to embed un-cached or amazon pre-signed urls) like so: http://example.org/coolfile.mp4?extra=true¶ms=true ... it fails to return the extension / content type.
The fix for this should be *very* easy. The preg_match in this function that looks like this currently:
$ext_preg = '!\.(' . $ext_preg . ')$!i';
could be adjusted to ignore the query string (if there is one) and just return the true extension like so:
$ext_preg = '!\.(' . $ext_preg . ')(\?.*)?$!i';
I've tested this change in my local environment and it works great.
Attachments (5)
Change History (71)
#2
@
10 years ago
- Component changed from General to Media
- Focuses ui javascript administration performance removed
- Keywords needs-patch needs-unit-tests added
- Milestone changed from Awaiting Review to 4.1
- Severity changed from major to normal
#4
@
10 years ago
- Keywords has-patch added; needs-patch needs-unit-tests removed
30377.diff updates the regex to correctly identify file type and adds unit tests.
#5
@
10 years ago
That looks great.
So what are the odds that this change will be incorporated into 4.1?
I'm just asking because I figured out a nasty hack in my plugin around this issue but would like to version it so it won't run once this is in place.
Thanks, Blair
This ticket was mentioned in Slack in #core by voldemortensen. View the logs.
10 years ago
#8
@
10 years ago
- Owner set to wonderboymusic
- Resolution set to fixed
- Status changed from new to closed
In 30640:
#10
@
9 years ago
- Keywords needs-refresh added
- Milestone changed from 4.1 to Future Release
- Resolution fixed deleted
- Status changed from closed to reopened
#11
@
9 years ago
@pento, can I get an example or two of filetypes it was checking incorrectly so I can do testing?
#13
follow-up:
↓ 14
@
9 years ago
This was working in 4.1, but appears to be broken again in 4.1.2 FYI
#14
in reply to:
↑ 13
@
9 years ago
Replying to cartpauj:
This was working in 4.1, but appears to be broken again in 4.1.2 FYI
As per above, it was reverted out of 4.1.2, so that's expected.
#15
@
9 years ago
Is there any place I can see the urls the reverted regex was failing on?
I'm sure this regex can be adjusted to fix whatever cases it was failing on that have been submitted.
Now we're back to urls that include query strings being completely un-usable by the WordPress media players.
#17
@
9 years ago
I just submitted a patch for this. Running into the problem when using a file from Soundcloud which has query args. Instead of a regex, I chose to get the 'path' from parse_url, which works in these cases:
file.mp3 c:\file.mp3 /usr/local/bin/file.mp3 http://lewayotte.com/file.mp3 lewayotte.com/file.mp3 http://lewayotte.com/file.mp3?test=1 lewayotte.com/file.mp3?test=1 http://lewayotte.com/file.mp3?test=1&echo=2 lewayotte.com/file.mp3?test=1&echo=2
#18
@
9 years ago
- Keywords needs-unit-tests added; needs-refresh removed
The problem here is that wp_check_filetype()
was never intended to work with URLs, only file paths.
If we're going to explicitly allow support for URLs (which we need to do by extension of the fact that this function is used in the wp_[audio|video|playlist]_shortcode()
functions), this is gonna need unit test coverage and security review.
#19
follow-up:
↓ 20
@
9 years ago
If we're going to explicitly allow support for URLs (which we need to do by extension of the fact that this function is used in the wp_[audio|video|playlist]_shortcode() functions), this is gonna need unit test coverage and security review.
I'd personally prefer to add an explicit wp_check_url_filetype()
function instead, one which extracts the actual filename from the URL and passes it along to wp_check_filetype()
(if appropriate, or duplicates parts of it)
#20
in reply to:
↑ 19
@
9 years ago
Replying to dd32:
If we're going to explicitly allow support for URLs (which we need to do by extension of the fact that this function is used in the wp_[audio|video|playlist]_shortcode() functions), this is gonna need unit test coverage and security review.
I'd personally prefer to add an explicit
wp_check_url_filetype()
function instead, one which extracts the actual filename from the URL and passes it along towp_check_filetype()
(if appropriate, or duplicates parts of it)
I've submitted a patch for this.
#21
@
9 years ago
Sorry I never saw it, 30377.3.diff looks good to me at first glance.
#22
@
9 years ago
- Owner changed from wonderboymusic to johnbillion
- Status changed from reopened to reviewing
Note to self: [32171]
This ticket was mentioned in Slack in #core by atomicjack. View the logs.
9 years ago
#24
follow-ups:
↓ 25
↓ 26
@
9 years ago
- Keywords needs-refresh added; has-patch removed
We pull data from a product feed, with parameters in the URL. It works perfectly in 4.1.1, but breaks after any version past that, even with the latest -3 patch.
It is related to this bug.
#26
in reply to:
↑ 24
;
follow-ups:
↓ 29
↓ 30
@
9 years ago
Replying to atomicjack:
We pull data from a product feed, with parameters in the URL. It works perfectly in 4.1.1, but breaks after any version past that, even with the latest -3 patch.
It is related to this bug.
Can you describe the setup and GET request, so I can rework the patch and test?
#27
follow-up:
↓ 28
@
9 years ago
- Type changed from defect (bug) to enhancement
Changing to enhancement, as wp_check_filetype()
was never meant for URLs and the solution in this case is to introduce something else that does work for URLs.
#28
in reply to:
↑ 27
@
9 years ago
Replying to helen:
Changing to enhancement, as
wp_check_filetype()
was never meant for URLs and the solution in this case is to introduce something else that does work for URLs.
The wp_check_filetype() function is called several times on URLs in wp-includes/media.php. Including the Audio shortcode (which is where I ran into this bug). I believe this should be considered a bug. Especially if the function was never meant to be used for URLs.
#29
in reply to:
↑ 26
@
9 years ago
Replying to layotte:
Replying to atomicjack:
We pull data from a product feed, with parameters in the URL. It works perfectly in 4.1.1, but breaks after any version past that, even with the latest -3 patch.
It is related to this bug.
Can you describe the setup and GET request, so I can rework the patch and test?
Thanks for offering to help - currently we have a line like this:
<?php $media_info = wp_check_filetype(basename($vebra_media_line['File_url']));
I understand it is the File_url that you will probably need? I'm waiting for an example of what gets passed into that to be sent to me, but if you can do anything with the above at all, that'd be helpful. :)
#30
in reply to:
↑ 26
@
9 years ago
Replying to layotte:
Replying to atomicjack:
We pull data from a product feed, with parameters in the URL. It works perfectly in 4.1.1, but breaks after any version past that, even with the latest -3 patch.
It is related to this bug.
Can you describe the setup and GET request, so I can rework the patch and test?
Here's an example URL that gets passed in:
http://[BUCKET NAME].s3.amazonaws.com/[RANDOM CHARACTERS].jpg
#31
@
9 years ago
Yeah, our use case is for AWS urls as well ... but ours are expiring links so they include a question mark followed by a bunch of random characters.
Here is a real link we'd use ... it may not actually work because it's an expiring link but this will give you an idea of the type of URL that can be passed to this function:
https://wordup.s3.amazonaws.com/4992_IMG_8521_converted.mp4?AWSAccessKeyId=1D10DF3V7M34NWTQNBG2&Expires=1445884947&Signature=Mp8PDvQHYZJP69hdAFNgAr11X00%3D&_=1
Thanks
#32
@
9 years ago
Worth noting this also breaks importing when attachment URLs contain query parameters since the importer uses wp_check_filetype()
.
See: https://plugins.trac.wordpress.org/browser/wordpress-importer/trunk/wordpress-importer.php#L861
This ticket was mentioned in Slack in #core by ocean90. View the logs.
8 years ago
@
8 years ago
wp_check_filetype now returns correct extension when URL has query params or fragment. Unit tests included.
#34
@
8 years ago
- Keywords has-patch added; needs-unit-tests needs-refresh removed
My 30377.4.diff patch allows wp_check_filetype
to find the extension of a file in a URL when it also includes either query params or a fragment.
This is really important for use cases such as @supercleanse's where signed URLs are failing to instantiate the default media player due to wp_check_filetype
not finding the extension.
The patch also fixes strip_fragment_from_url
throwing "Undefined index: path" when a URL without a trailing slash is passed to it.
#35
@
7 years ago
- Type changed from enhancement to defect (bug)
30377.4.diff is still required on trunk in order to be able to use the built in media player in the admin area, and still applies cleanly to r40891.
#36
@
7 years ago
For anyone looking for a temporary workaround, I created this plugin: https://github.com/aaemnnosttv/fix-wp-media-shortcodes-with-params
#39
@
6 years ago
Hi all,
Is there any chance someone from the Core team can look at this again? This ticket has been open for four years, and the [audio] shortcode with URL Parameters is still broken.
Are we able to merge this into core? Is there something that still needs to be done?
This ticket was mentioned in Slack in #core by markparnell. View the logs.
4 years ago
#43
in reply to:
↑ 42
@
3 years ago
oh my god. how on earth has this taken so long to resolve? am I going to have to manage a patch forever (according to this drawn out timeline) for a 1 line resolution?
#44
@
3 years ago
- Keywords dev-feedback added; needs-testing removed
- Type changed from defect (bug) to enhancement
30377.5.diff refreshes the patch and adds more tests, particularly ones which include URLs and paths which attempt to subvert the extension detection.
One test fails: http://example.mp3
incorrectly results in an extension of mp3
, but this isn't strictly related to this change and AFAIK none of the extensions in wp_get_mime_types()
are valid TLDs anyway.
This ticket was mentioned in Slack in #core by ruxton. View the logs.
3 years ago
#46
@
3 years ago
- Keywords needs-refresh added
- Milestone changed from Future Release to 6.0
Moving for 6.0 consideration
Also marking as needs-refresh
since the patch doesn't apply anymore against trunk.
Anyone is welcome to submit a patch refresh.
(see https://wordpress.slack.com/archives/C02RQBWTW/p1646400165837319).
This ticket was mentioned in PR #2383 on WordPress/wordpress-develop by audrasjb.
3 years ago
#47
- Keywords has-unit-tests added; needs-refresh removed
Trac ticket: https://core.trac.wordpress.org/ticket/30377
#48
@
3 years ago
- Keywords needs-testing added
The above PR refreshes the last patch proposed by @johnbillion.
Adding needs-testing
keyword.
#49
@
3 years ago
One test fails: http://example.mp3 incorrectly results in an extension of mp3, but this isn't strictly related to this change and AFAIK none of the extensions in wp_get_mime_types() are valid TLDs anyway.
👆 this is still an issue with the current PR. @johnbillion should we just remove the failing test?
#51
@
3 years ago
- Keywords needs-dev-note commit added; needs-testing removed
Alright the tests are passing now and I tested the patch successfully.
Marking for a mention in the Misc changes devnote.
Self assigning for commit
.
#52
@
3 years ago
- Owner changed from johnbillion to audrasjb
- Status changed from reviewing to accepted
3 years ago
#54
Committed in https://core.trac.wordpress.org/changeset/52829
#55
@
3 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
@audrasjb Unfortunately this causes a PHP Fatal error for ms-files.php
:
Uncaught Error: Call to undefined function strip_fragment_from_url() in wp-includes/functions.php:3009 Stack trace: #0 wp-includes/ms-files.php(32): wp_check_filetype('wp-include...') #1 {main} thrown Source: GET https://make.wordpress.org/core/files/2022/01/list-view-keyboard-focus-1.mp4 Timestamp: Tue, 08 Mar 2022 00:28:30 +0000 (1646699310) File: wp-includes/functions.php Line: 3009
#56
@
3 years ago
- Keywords needs-patch added; has-patch commit removed
I am being a little tedious to keep the milestone report keywords clean.
I think we'd need e2e tests to test this use case as I don't think phpunit's ms-files tests use SHORTINIT
.
#57
@
3 years ago
#55333 is a php notice that this change started triggering on WordPress.org, but is 'unrelated'.
#58
follow-up:
↓ 61
@
3 years ago
@dd32 I'm trying to reproduce the issue but I'm struggling a bit with ms-files.php, it's pretty hard to reproduce on a new install. Do you have an easy to reproduce use case (I mean outside w.org)?
#59
@
3 years ago
As noted in comment:10, this was previously attempted in [30640] and reverted in [32171] as a security fix for WordPress 4.1.2. It would be great to confirm with the Security Team that [52829] does not reintroduce any issues.
#61
in reply to:
↑ 58
@
3 years ago
Replying to audrasjb:
@dd32 I'm trying to reproduce the issue but I'm struggling a bit with ms-files.php, it's pretty hard to reproduce on a new install.
Unfortunately I'm not aware of how to setup Multisite using ms-files.php, You probably need to manually flip the ms_files_rewriting
site option, or perhaps even just request ms-files.php?file=relative/path/to/file.ext
. I can say that strip_fragment_from_url
is in canonical and not loaded in multisite SHORTINIT though.
#62
follow-up:
↓ 63
@
3 years ago
With the knowledge of what @dd32 just mentioned, it seems the viable solution outside of moving strip_fragment_from_url out of canonical (which is excessive) is to strip the fragment and beyond with strpos, etc. as the query string was.
<?php $frag_pos = strpos( $filename, '#' ); if ( false !== $frag_pos) { $filename = substr($filename,0, $frag_pos-1) } ?>
#63
in reply to:
↑ 62
;
follow-up:
↓ 64
@
3 years ago
Replying to Ruxton:
With the knowledge of what dd32 just mentioned, it seems the viable solution outside of moving strip_fragment_from_url out of canonical (which is excessive) is to strip the fragment and beyond with strpos, etc. as the query string was.
Using string functions to remove parts of a URL (both ?...
and #...
) is a potential security issue here (and why it would've been reverted prevously), as it's possible to cause it to strip more than anticipated and result in operating on the incorrect filename. You should really use wp_parse_url()
instead too (It's kind of like parsing HTML with Regex, possible, but should be avoided).
Additionally, since the parameter can be a Filename, Path, or URL, you need to restrict any URL handling to URLs only, not filenames. wp_http_validate_url()
is the obvious thing there at first.. but it's not available in SHORTINIT I don't think, and...
If a filename on disk looks like a url (You can have a filename on Linux that IS a url), you can't treat it as a URL either. If the filename came from an untrusted location, you can't treat it as a URL unless it's known to be intentionally a URL.
Pulling out two comments from above:
- Comment by me: I'd personally prefer to add an explicit
wp_check_url_filetype()
function instead, one which extracts the actual filename from the URL and passes it along towp_check_filetype()
(if appropriate, or duplicates parts of it) - Comment by Helen: Changing to enhancement, as
wp_check_filetype()
was never meant for URLs and the solution in this case is to introduce something else that does work for URLs.
Even if the existing function is being passed URLs, it's not intentionally supposed to be used for URLs, and performing processing like this is doomed for failure.
#64
in reply to:
↑ 63
;
follow-up:
↓ 65
@
3 years ago
All very fair, someone actually wrote a patch with what you want and you responded to it at the time, then it somehow just drifted away from that.
If patch 3 is the solution you want, should we refresh that and include the tests from John's patch? Would that get us to a better place?
I'm just trying to get this across the line. It's old, annoying and a resolution is needed.
Replying to dd32:
Pulling out two comments from above:
- Comment by me: I'd personally prefer to add an explicit
wp_check_url_filetype()
function instead, one which extracts the actual filename from the URL and passes it along towp_check_filetype()
(if appropriate, or duplicates parts of it)- Comment by Helen: Changing to enhancement, as
wp_check_filetype()
was never meant for URLs and the solution in this case is to introduce something else that does work for URLs.Even if the existing function is being passed URLs, it's not intentionally supposed to be used for URLs, and performing processing like this is doomed for failure.
For some additional info about this issue ... here's someone else who has had this problem:
http://wordpress.stackexchange.com/questions/152316/using-audio-shortcode-for-mp3-urls-with-a-query-string