#40078 closed defect (bug) (duplicate)
Lingering issues with office files
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.7.3 |
| Component: | Upload | Keywords: | |
| Focuses: | Cc: |
Description
This is a follow-up to #39550.
There are still lingering issues regarding office files and MIME type checking. PPT files resolve as generic application/vnd.ms-office even when saved directly from powerpoint for MAC. PPTX/DOCX/XLSX resolve to application/zip files which is a perfectly valid interpretation of those file formats - so multisites need zip files whitelisted to pass the MIME check on those. I've had to resolve octet-stream by providing a dummy file extension entry with that as the MIME type.
Ultimately, magic MIME checks in PHP's file are not reliable enough across installations to really consider 4.7.3 a resolution to the problem.
Anyone managing a multisite on behalf of a large number of clients will not sufficiently be able to use education of users and spot fixes for these issues. As far as users are concerned their perfectly valid files are being rejected for no good reason. Whether because they downloaded the file and the server served it up as octet-stream, or their application is saving them with incorrect MIME types, or the magic mime file does not resolve to the proper format.
It might be beneficial to include a new field in settings for MIME whitelist (similar to the way multisite whitelists file extensions) and ONLY check finfo real mime type against this list. The array could be pre-populated from get_allowed_mime_types but merge in custom entries for the finfo check. Allowing admins to whitelist non-standard, but valid, MIME types and still allow WordPress to provide behavior protecting against files lying about their contents.
This ticket is being merged into #40175. Please continue related discussion there.