WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#4136 closed enhancement (fixed)

Admin should not by stopped from uploading any type of file

Reported by: foolswisdom Owned by: rob1n
Milestone: 2.3 Priority: normal
Severity: normal Version: 2.2
Component: Administration Keywords: has-patch needs-testing
Focuses: Cc:

Description

Admin should not by stopped from uploading any type of file. I tried to upload a .ODT to a test environment as an admin, and where as a .DOC worked, here I received "File type does not meet security guidelines." when using Upload file in Write Post.

Admin's should have unrestricted file uploading.

ENV: trunk 5242

ADDITIONAL DETAILS
2ndary issue, the file I was trying to upload was a .ODT (Open Document Text Format for Office Applications (OpenDocument)) should probably be added to the list of allowed.

Attachments (4)

4136b.diff (521 bytes) - added by Nazgul 7 years ago.
ODT support
4136.diff (2.2 KB) - added by rob1n 7 years ago.
Refreshed patch refreshed. (fixed typo)
fix5303.diff (778 bytes) - added by technosailor 7 years ago.
4136fix.diff (962 bytes) - added by Nazgul 7 years ago.

Download all attachments as: .zip

Change History (20)

comment:1 markjaquith7 years ago

+1 to both.

comment:2 follow-up: jhodgdon7 years ago

I verified the bug report: if you try to upload a file with ODT extension, it fails with the given warning. It is probably more or less version independent, because the "security check" is done in function wp_check_filetype in wp-includes/functions.php, where the file extension is checked against a list of known MIME types, and ODT is not in that list.

However, there is no way the list of MIME types in that function will ever be complete -- there are too many MIME types out there. There is also a plugin hook there (upload_mimes), so anyone wanting to allow new file types can write a plugin to do it. So why choose to add this particular MIME type and not a whole host of others? I am not in favor of adding this particular one, necessarily.

As far as the question of allowing admin to upload whatever file admin wants to, this makes more sense to me, but I think it should be implemented with something like this:

current_user_can( 'override_upload_mimes' )

This would go into function wp_handle_upload in file wp-admin/admin_functions.php, and then of course the admin user would have to be given this permission by default... not sure how to do that...

Nazgul7 years ago

ODT support

comment:3 Nazgul7 years ago

  • Keywords has-patch needs-testing added
  • Owner changed from anonymous to Nazgul
  • Status changed from new to assigned
  • Type changed from defect to enhancement

I've attached 2 patches.

  1. Patch which adds the ODT extension to the allowed types.
  2. Patch which introduces an unfiltered_upload capability which is only given to administrators by default.

comment:4 in reply to: ↑ 2 foolswisdom7 years ago

Thanks for the patch Nazgul! After 2.2, I look forward to giving it a spin.

Replying to jhodgdon:

However, there is no way the list of MIME types in that function will ever be complete -- there are too many MIME types out there. There is also a plugin hook there (upload_mimes), so anyone wanting to allow new file types can write a plugin to do it. So why choose to add this particular MIME type and not a whole host of others? I am not in favor of adding this particular one, necessarily.

Who is arguing against adding a whole list of others? All ~popular "safe" extensions should be added.

comment:5 rob1n7 years ago

  • Milestone changed from 2.3 to 2.2

+1 to both. I think unfiltered_upload is a good cap to have.

comment:6 rob1n7 years ago

  • Milestone changed from 2.2 to 2.3
  • Owner changed from Nazgul to rob1n
  • Status changed from assigned to new

comment:7 westi7 years ago

+1 to both patches.

BTW for mimetype management there is a nice plugin ;-)

http://blog.ftwr.co.uk/wordpress/mime-config/

comment:8 gerbennn7 years ago

Tested both patches with SVN:5292. Works like a charm.

+1 for both patches.

rob1n7 years ago

Refreshed patch refreshed. (fixed typo)

comment:9 ryan7 years ago

Code looks good. +1 on both.

comment:10 rob1n7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [5303]) Add unfiltered_upload cap, and allow for admins. Props Nazgul. fixes #4136

comment:11 rob1n7 years ago

(In [5304]) Add ODT to allowed file types. Props Nazgul. fixes #4136

comment:12 technosailor7 years ago

This changeset breaks the uploader. GIF and JPG tried as admin, strips the . in the filename (i.e. mysexypic.jpg becomes mysexypicjpg). I'll try to get in a patch tomorrow if I have a minute or can track down the issue. Don't wait on me though. I'd roll back this changeset until the bug can be fixed.

technosailor7 years ago

comment:13 technosailor7 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Ok, here's a diff. All this does is allow an admin to upload a valid mimetype image without the stripping of the dot between filename and ext. Non-admin users will still have valid filenames mangled which is exactly opposite of how it was with the previous changeset. I spent some time reviewing mods to wp-admin/admin-functions.php and wp-includes/functions.php in SVN and I can't really determine where this greedy stripping is occurring.

Regardless, I'm reopening as I don't believe this is expected behavior. If we don't want non-admins to upload images, let's take away the uploader - not change their files behind their backs. If we DO want to allow non-admins to upload images, then my changeset does not address this issue and we need to find out where those greedy regexes (or whatever) are mangling the files.

Nazgul7 years ago

comment:14 Nazgul7 years ago

I did some testing.

The greedy stripping is done by sanitize_title_with_dashes, because wp_check_filetype isn't called and therefore $ext isn't set.

The attached patch makes sure wp_check_filetype is called, and sets the $ext manually if it's an unknown filetype and the user can do unfiltered_upload.

comment:15 technosailor7 years ago

That's the solution I was trying to find. I just wasn't putting all the pieces together. Suggest commit. :) Well done, Nazgul.

comment:16 ryan7 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [5353]) unfiltered_upload fix from Nazgul. fixes #4136

Note: See TracTickets for help on using tickets.