WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#9234 closed defect (bug) (worksforme)

Upload filter does not work

Reported by: AbbeKeultjes Owned by:
Milestone: Priority: lowest
Severity: normal Version: 2.7
Component: Upload Keywords: upload files security
Focuses: Cc:

Description

I work for a company that builds and hosts multiple websites. Recently I set up a Wordpress website for a client.
The flash uploader works fine, except that it uploads ALL files. I can upload .php files, .exe files and even made up files.
By default Wordpress accepts .exe files (in wp-includes/functions.php there's an array with accepted mime types), but it shouldn't accept .php files, nor made up files.

Change History (4)

comment:1 DD325 years ago

  • Component changed from Media to Upload

nor made up files.

Define "made up" files, all files are "made up" (by someone or another).

WordPress has 2 permission sets for uploads which is based on the capabilities, By default, The administrator has "unfiltered_upload", which as the name suggests, allows unfiltered uploads (doesnt care of the file type).

AFAIK, all non-admin users will be able to upload, but will be limited to the filetype list which you mentioned.

comment:2 AbbeKeultjes5 years ago

  • Priority changed from normal to lowest
  • Resolution set to worksforme
  • Status changed from new to closed

Thanks for the help. I didn´t know that an admin could upload all file types.

I would like to give my client all the permissions an admin has, except for the unlimited uploading possibilities. But I guess that's not possible without hacking the core files / database.

comment:3 DD325 years ago

Hm, Should've mentioned this:

The plugin "Role Manager" exists (And theres a few others) which allow you to define custom User roles with custom permission sets. Its pretty much a must-have plugin type for any highly customised WP install (with backend access)

I personally dont like the coding of many of those plugins.. but hey.. they work

comment:4 Viper007Bond5 years ago

  • Milestone Unassigned deleted
Note: See TracTickets for help on using tickets.