WordPress.org

Make WordPress Core

Opened 10 months ago

Last modified 10 months ago

#45818 new defect (bug)

ALLOW_UNFILTERED_UPLOADS does not work on multisite

Reported by: Hube2 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Upload Keywords:
Focuses: multisite Cc:
PR Number:

Description

In a multisite environment ALLOW_UNFILTERED_UPLOADS does not work. It only works for super admin. /wp-includes/capabilities.php line ~385.

<?php
        case 'unfiltered_upload':
                if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) )  )
                        $caps[] = $cap;
                else
                        $caps[] = 'do_not_allow';
                break;

I have a site where the client needs to be able to upload files that are created by various CAD applications, too numerous to name them all, I don't even know them all. The mime type varies on these file depending on what application is creating them, there seems to be no standardization for extension/mime type in CAD applications and each file extension is only allowed a single mime type. Due to this I must constantly fiddle with the allowed files and mime types so that they can upload them. This is ridonkulous as there seems to be no other way on multisite to allow unfiltered uploads.

Change History (6)

#1 @desrosj
10 months ago

  • Focuses multisite added

#2 @desrosj
10 months ago

  • Version 5.0.2 deleted

#3 follow-up: @Hube2
10 months ago

If the goal is to completely prevent unfiltered uploads on multisite except for super admin then that if statement is correct. However, I don't see why this would be the case, but maybe I'm missing something. On the other hand, if the goal is to allow unfiltered uploads to super admins and all others as well if ALLOW_UNFILTERED_UPLOADS is true (which is what I would expect) then a couple of minor adjustments to the if statement will correct it

<?php
if ( ( defined('ALLOW_UNFILTERED_UPLOADS' ) &&
 ALLOW_UNFILTERED_UPLOADS ) || ( is_multisite() && is_super_admin( $user_id
 ) )  )

#4 @SergeyBiryukov
10 months ago

  • Component changed from General to Upload

#5 in reply to: ↑ 3 @SergeyBiryukov
10 months ago

Replying to Hube2:

If the goal is to completely prevent unfiltered uploads on multisite except for super admin then that if statement is correct.

Per [12630], that is indeed the goal.

#6 @Hube2
10 months ago

Then there should be a way to allow some file extensions to have multiple possible mime types. As I stated in the OP, CAD applications do not appear standardized. Different CAD applications use the same extension while setting a different mime type. It seems that every CAD app uses a different extension/mime combination, all of which appear to be completely valid according to the information I've been reading. With the setup in WP only one mime type can be set per extension (unless I'm missing something, if I am please point me to information). This makes it nearly impossible to allow anyone but a super admin on multisite to upload these files. In my opinion there needs to be a way to override this behavior. If I want to allow unfiltered uploads on my mulitsite installations then I should be able to accomplish this is some way without hacking core files, or expecting an entire software industry to use the same standard mime types where they have not done so for as long as there has been CAD software.

Last edited 10 months ago by Hube2 (previous) (diff)
Note: See TracTickets for help on using tickets.