#9234 closed defect (bug) (worksforme)
Upload filter does not work
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | lowest | |
| Severity: | normal | Version: | 2.7 |
| Component: | Upload | Keywords: | upload files security |
| Focuses: | Cc: |
Description
I work for a company that builds and hosts multiple websites. Recently I set up a Wordpress website for a client.
The flash uploader works fine, except that it uploads ALL files. I can upload .php files, .exe files and even made up files.
By default Wordpress accepts .exe files (in wp-includes/functions.php there's an array with accepted mime types), but it shouldn't accept .php files, nor made up files.
Change History (4)
#2
@
14 years ago
- Priority changed from normal to lowest
- Resolution set to worksforme
- Status changed from new to closed
Thanks for the help. I didn´t know that an admin could upload all file types.
I would like to give my client all the permissions an admin has, except for the unlimited uploading possibilities. But I guess that's not possible without hacking the core files / database.
#3
@
14 years ago
Hm, Should've mentioned this:
The plugin "Role Manager" exists (And theres a few others) which allow you to define custom User roles with custom permission sets. Its pretty much a must-have plugin type for any highly customised WP install (with backend access)
I personally dont like the coding of many of those plugins.. but hey.. they work
Define "made up" files, all files are "made up" (by someone or another).
WordPress has 2 permission sets for uploads which is based on the capabilities, By default, The administrator has "unfiltered_upload", which as the name suggests, allows unfiltered uploads (doesnt care of the file type).
AFAIK, all non-admin users will be able to upload, but will be limited to the filetype list which you mentioned.