WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#34190 closed defect (bug) (invalid)

Function Reference/wp check filetype

Reported by: lpkapil Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.3.1
Component: General Keywords: needs-codex
Focuses: Cc:

Description

Change Log

Since: 2.0.4

Source File

wp_check_filetype() is located in wp-includes/functions.php.

But it's not actually located at this place as well, instead it's similar method 'wp_check_filetype_and_ext' is located on this file.

Issue:

Whenever we provide a url or a file name that have mulitple DOT SEPRATOR, it simply fails and don't return anything. It's not specified in codex as well.

Example: 'var/test/abc.user.class.php'

It should check recursively for correct file extension, but it doesn't looks like it's checking correctly.

Result:

Web application crash in middle if we use it.

Attachments (2)

rsz_screenshot_from_2015-10-07_172252.png (10.2 KB) - added by lpkapil 6 years ago.
Method callback and output, results web app crash and can't use it with multi dot file name, not useful and safe method in core functions
wp_core_error.png (2.6 KB) - added by lpkapil 6 years ago.
Output file

Download all attachments as: .zip

Change History (15)

#1 @lpkapil
6 years ago

  • Component changed from Cron API to Administration
  • Keywords needs-patch added
  • Severity changed from normal to critical

@lpkapil
6 years ago

Method callback and output, results web app crash and can't use it with multi dot file name, not useful and safe method in core functions

@lpkapil
6 years ago

Output file

#2 @lpkapil
6 years ago

We can patch this using code below, return the file extension only or create file information array using get file info:
<?php
$fileNameArr = explode(".", $path);
return end($fileNameArr);
?>

Last edited 6 years ago by lpkapil (previous) (diff)

#3 @chriscct7
6 years ago

  • Component changed from Administration to Media
  • Focuses accessibility docs administration multisite performance removed
  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed

Hi @lpkapil, welcome to WordPress trac. Thank you for taking the time to be verbose in your potential bug report.

I've reviewed your reported bug, and unfortunately, as far as I can determine, there isn't a bug in wp_check_filetype().

The reason you are getting back false has nothing to do with the multiple seperators. Because you didn't specify an array of mime types for parameter 2, WordPress looks for a mime type matching one of the acceptable WordPress mime types in get_allowed_mime_types(). .php is not an allowed mime type for uploads, and as a result, the function correctly returns the result of false. This is both expected and designed behavior

Proof of concept:

wp_die( 
   var_dump( 'test.jpg', wp_check_filetype( 'test.jpg' ),
             'test.php', wp_check_filetype( 'test.php' ),
             'test.jpg.php', wp_check_filetype( 'test.jpg.php' ),
             'test.php with php mime type declared', wp_check_filetype( 'test.php', array( 'php' => 'text/x-php' ) ) ) );

Will return

string 'test.jpg' (length=8)

array (size=2)
  'ext' => string 'jpg' (length=3)
  'type' => string 'image/jpeg' (length=10)

string 'test.php' (length=8)

array (size=2)
  'ext' => boolean false
  'type' => boolean false

string 'test.jpg.php' (length=12)

array (size=2)
  'ext' => boolean false
  'type' => boolean false

string 'test.php with php mime type declared' (length=36)

array (size=2)
  'ext' => string 'php' (length=3)
  'type' => string 'text/x-php' (length=10)

If you're able to find a way in which the function does not perform as designed, baring in mind the above explanation of how the function is intended to work, please comment below.

Last edited 6 years ago by chriscct7 (previous) (diff)

#4 @chriscct7
6 years ago

  • Component changed from Media to Upload

#5 follow-up: @lpkapil
6 years ago

  • Component changed from Upload to Administration
  • Resolution invalid deleted
  • Severity changed from normal to critical
  • Status changed from closed to reopened

Hi,

let me know ? why it's not returning the file extension correctly as specified ?

function debug(){
    var_dump(wp_check_filetype('/var/www/html/wordpress/wp-content/themes/twentyfifteen/user.class.php'));
    exit();
}
add_action('init', 'debug');

I have checked with this code, as in codex :

Parameters

$filename
    (string) (required) File name or path.

        Default: None 

$mimes
    (array) (optional) Key is the file extension with value as the mime type.

        Default: null

what's wrong here if i am supplying file name as "user.class.php" ?? why it returns bool false ? it should check the proper file extension and return that, if not it's useless for file that contains multiple dot in filename. share your views on same ?

Last edited 6 years ago by ocean90 (previous) (diff)

#6 in reply to: ↑ 5 @ocean90
6 years ago

  • Component changed from Administration to General
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from reopened to closed

Replying to lpkapil:

If you don't provide the $mimes argument the function uses get_allowed_mime_types() and wp_get_mime_types(). The later doesn't include PHP, that's why wp_check_filetype() returns false.

#7 @knutsp
6 years ago

  • Keywords needs-codex added

This could be explained in the codex.

#8 @lpkapil
6 years ago

  • Keywords needs-patch added; needs-codex removed
  • Resolution invalid deleted
  • Severity changed from normal to critical
  • Status changed from closed to reopened

I think it's an optional parameter mentioned in codex, you can check. Am i right ?

https://codex.wordpress.org/Function_Reference/wp_check_filetype

Then why should i care about second parameter if it's optional. can you explain ?

#9 @knutsp
6 years ago

  • Severity changed from critical to normal

Hey lpkapil

There is no point in reopening this ticket. Please don't continue doing so. A discussion can continue on a closed ticket. It should only be reopened on new information or some consensus that it's valid.

It's was closed for good reasons, well explained by very experienced contributors here. The fact that a parameter is optional doesn't mean you should not care about it. An optional parameter only means that when omitted, it will take a default value.

If there is a difference between how a function is expected to to behave, in source code versus the codex other documentation, then codex/docs is the place to update, and not the other way around.

#10 @johnbillion
6 years ago

@lpkapil please stop marking this ticket as critical.

By default, .php is not an allowed file type, which is why wp_check_filetype() returns boolean false.

#11 @lpkapil
6 years ago

  • Resolution set to maybelater
  • Status changed from reopened to closed

He everyone,

Thanks for explanation, i have to drop this function from my plugins, where ever i have used it. Anyway good explanation about this, I though there will be some enhancement in this.

#12 @knutsp
6 years ago

  • Keywords needs-codex added; needs-patch removed
  • Resolution maybelater deleted
  • Status changed from closed to reopened

#13 @knutsp
6 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.