Opened 2 years ago
Last modified 2 years ago
#55563 new defect (bug)
The function get_allowed_mime_types should check wp_get_current_user
Reported by: | giuse | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.9.3 |
Component: | Formatting | Keywords: | dev-feedback has-patch |
Focuses: | Cc: |
Description
The function get_allowed_mime_types checks if the function current_user_can before using it, as you can see at https://developer.wordpress.org/reference/functions/get_allowed_mime_types/.
The function current_user_can calls wp_get_current_user, as you can see at https://developer.wordpress.org/reference/functions/current_user_can/
If the function get_allowed_mime_types is called when wp_get_current_user doesn't exist yet, it triggers a fatal error.
I think get_allowed_mime_types should check also if wp_get_current_user exist. I would write something like this:
<?php function get_allowed_mime_types( $user = null ) { $t = wp_get_mime_types(); unset( $t['swf'], $t['exe'] ); if ( function_exists( 'current_user_can' ) && function_exists( 'wp_get_current_user' ) ) { $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' ); } if ( empty( $unfiltered ) ) { unset( $t['htm|html'], $t['js'] ); } /** * Filters list of allowed mime types and file extensions. * * @since 2.0.0 * * @param array $t Mime types keyed by the file extension regex corresponding to those types. * @param int|WP_User|null $user User ID, User object or null if not provided (indicates current user). */ return apply_filters( 'upload_mimes', $t, $user ); }
The function wp_get_current_user is defined in wp-includes/plugguble.php, so after all, plugins are loaded. This means that if you call sanitize_file_name inside a nu-plugin, or before the action 'plugin_loaded', you have the fatal error.
The proposed solution looks good to me.