Make WordPress Core

Opened 4 years ago

Last modified 4 years ago

#52531 new defect (bug)

Unable to upload .ico with PHP 7.4

Reported by: lpointet's profile lpointet Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.6.1
Component: Upload Keywords: has-patch
Focuses: Cc:

Description

Hello,

I found the following related ticket: #11824
You can find attached an example file.

On PHP 7.3.21 libmagic is shown as 533 in phpinfo under "fileinfo" section.
On PHP 7.4.9 libmagic is shown as 537 in phpinfo under "fileinfo" section.

I tried to upload the same file as an admin on a fresh WP install on both versions on PHP, and it works with 7.3 while it doesn't with 7.4.

The error is "Sorry, this file type is not permitted for security reasons.".

What I found is that finfo_file function returns either "image/x-icon" or "image/vnd.microsoft.icon" depending on the PHP version I'm using.
In the first case, this will be allowed because it matches WP's internal mime types array. But in the second case, it will simply return an invalid type error (empty $type and $ext variables).

I used the following workaround:

<?php
function tmp_wp_check_filetype_and_ext( $values, $file, $filename, $mimes, $real_mime ) {
        if( ! $values['ext'] && ! $values['type'] && $real_mime === 'image/vnd.microsoft.icon' && preg_match( '!\.(ico)$!i', $filename, $ext ) ) {
                $values['ext'] = $ext[1];
                $values['type'] = 'image/x-icon';
        }

        return $values;
}
add_filter( 'wp_check_filetype_and_ext', 'tmp_wp_check_filetype_and_ext', 10, 5 );

Attachments (1)

clientportal-favicon.ico (361.4 KB) - added by lpointet 4 years ago.

Download all attachments as: .zip

Change History (4)

#1 @sabernhardt
4 years ago

  • Component changed from General to Upload

This ticket was mentioned in PR #1562 on WordPress/wordpress-develop by jefferyto.


4 years ago
#2

  • Keywords has-patch added

This adds the two common mime types for ICO files to the default getimagesize_mimes_to_exts list, for related reasons:

  • image/x-icon - This allows an ICO file with an incorrect extension to be uploaded and have its filename corrected (e.g. "logo.bmp" to "logo.ico").
  • image/vnd.microsoft.icon - In some server configurations, wp_get_image_mime() will return this mime type for ICO files. Since wp_check_filetype() will always return image/x-icon, ICO files will not be allowed to be uploaded unless this mime type is in the getimagesize_mimes_to_exts list.

Trac ticket: https://core.trac.wordpress.org/ticket/52531

#3 @jefferyto
4 years ago

While I haven't tested the output of finfo_file() in my case, I'm pretty sure my PR (https://github.com/WordPress/wordpress-develop/pull/1562) addresses the root cause, since wp_get_image_mime() is called (and the mimes to exts list tested) in the image type validation section before finfo_file() is tried.

(As a side note, I think image/heic can also be added to the default getimagesizes_mimes_to_exts list since it is also in the list of recognized/allowed mime types, but I wanted to keep the PR focused on this ticket / fixing ICO file uploads.)

Plugins/themes can also work around this issue with something like:

<?php
function trac52531_getimagesize_mimes_to_exts( $mime_to_ext ) {
        $mime_to_ext['image/x-icon'] = 'ico';
        $mime_to_ext['image/vnd.microsoft.icon'] = 'ico';
        return $mime_to_ext;
}
add_filter( 'getimagesize_mimes_to_exts', 'trac52531_getimagesize_mimes_to_exts' );
Note: See TracTickets for help on using tickets.