Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#55563 new defect (bug)

The function get_allowed_mime_types should check wp_get_current_user

Reported by: giuse's profile giuse Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.9.3
Component: Formatting Keywords: dev-feedback has-patch
Focuses: Cc:

Description

The function get_allowed_mime_types checks if the function current_user_can before using it, as you can see at https://developer.wordpress.org/reference/functions/get_allowed_mime_types/.

The function current_user_can calls wp_get_current_user, as you can see at https://developer.wordpress.org/reference/functions/current_user_can/

If the function get_allowed_mime_types is called when wp_get_current_user doesn't exist yet, it triggers a fatal error.

I think get_allowed_mime_types should check also if wp_get_current_user exist. I would write something like this:

<?php
function get_allowed_mime_types( $user = null ) {
    $t = wp_get_mime_types();
 
    unset( $t['swf'], $t['exe'] );
    if ( function_exists( 'current_user_can' ) && function_exists( 'wp_get_current_user' ) ) {
        $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );
    }
 
    if ( empty( $unfiltered ) ) {
        unset( $t['htm|html'], $t['js'] );
    }
 
    /**
     * Filters list of allowed mime types and file extensions.
     *
     * @since 2.0.0
     *
     * @param array            $t    Mime types keyed by the file extension regex corresponding to those types.
     * @param int|WP_User|null $user User ID, User object or null if not provided (indicates current user).
     */
    return apply_filters( 'upload_mimes', $t, $user );
}

The function wp_get_current_user is defined in wp-includes/plugguble.php, so after all, plugins are loaded. This means that if you call sanitize_file_name inside a nu-plugin, or before the action 'plugin_loaded', you have the fatal error.

Attachments (1)

55563.diff (569 bytes) - added by elifvish 2 years ago.

Download all attachments as: .zip

Change History (3)

#1 @elifvish
2 years ago

The proposed solution looks good to me.

@elifvish
2 years ago

#2 @elifvish
2 years ago

  • Keywords has-patch added
Note: See TracTickets for help on using tickets.