Make WordPress Core

Opened 2 years ago

Last modified 17 months ago

#54433 assigned defect (bug)

ALLOW_UNFILTERED_UPLOADS does not work anymore

Reported by: mssd19's profile mssd19 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8.2
Component: Media Keywords:
Focuses: Cc:

Description

I previously added
define( 'ALLOW_UNFILTERED_UPLOADS', true );
to wp-config.php so that I could upload binary executable into the media library. These executable files are installers for the software my lab develops and which is used by thousands of users around the world.
As I am trying to release a new version I tried to upload the new installers and no matter what I do I get "Sorry, this file type is not permitted for security reasons".
I really see no reason why the site admin should be prevented to upload something into his own site.
I am using version 5.8.2 of wordpress which does not appear in the Version pull down below, and Avada and a multisite installation.

Attachments (2)

Media-Library-grid-mode-upload-error.png (47.9 KB) - added by sabernhardt 17 months ago.
uploads not allowed in inline uploader (without filter)
Upload-New-Media-multi-file-success.png (50.8 KB) - added by sabernhardt 17 months ago.
success even without filter on Add New (Upload New Media) page

Download all attachments as: .zip

Change History (6)

#1 @dlh
2 years ago

  • Component changed from General to Media
  • Focuses administration multisite removed
  • Version trunk deleted

#2 @SergeyBiryukov
2 years ago

  • Version set to 5.8.2

#3 @mssd19
2 years ago

Hello

So what is happening with this ?
Why it is that a site administrator cannot upload a file ? This makes no sense to me.

my wp-config.php file contains

define('ALLOW_UNFILTERED_UPLOADS',true);

and my wp-content/themes/Avada/functions.php fiel contains

function my_custom_upload_mime_types( $mimes ) {
$mimes['py'] = 'text/x-python';
$mimes['exe'] = 'application/x-msdos-program';
$mimes['sh'] = 'text/x-sh';
$mimes['tgz'] = 'application/x-tar';
$mimes['msi'] = 'application/x-msi';
$mimes['wps'] = 'application/x-executable';
// Return the array back to the function with our added MIME type.
return $mimes;
}
add_filter( 'upload_mimes', 'my_custom_upload_mime_types' );

the .wps extension (i.e WordPress Sucks) was added as it is the only way I found to upload linux binaries, by adding the .wps extension ...

thanks

Last edited 2 years ago by johnbillion (previous) (diff)

@sabernhardt
17 months ago

uploads not allowed in inline uploader (without filter)

@sabernhardt
17 months ago

success even without filter on Add New (Upload New Media) page

#4 @sabernhardt
17 months ago

Hi and thanks for the report!

You apparently found a way around this (maybe the plugin mentioned in your support topic).

I found a discrepancy between upload locations. I tried this in a single-site WordPress 6.1.1 installation just with the constant in wp-config, with and without the upload_mimes filter in a must-use plugin (not the theme). I was able to upload an EXE file and your ADFRsuite_Linux-x86_64_1.0_install file when I went to the "Add New" page (in the side menu or clicking the "Add New" link at the top in List mode).

However, the inline uploader—above the media thumbnails in Grid mode—blocked the Linux installation file as an unsupported type, either with or without the filter. Using the upload_mimes filter made it accept the EXE file.

Note: See TracTickets for help on using tickets.