Make WordPress Core

Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#9234 closed defect (bug) (worksforme)

Upload filter does not work

Reported by: abbekeultjes's profile AbbeKeultjes Owned by:
Milestone: Priority: lowest
Severity: normal Version: 2.7
Component: Upload Keywords: upload files security
Focuses: Cc:


I work for a company that builds and hosts multiple websites. Recently I set up a Wordpress website for a client.
The flash uploader works fine, except that it uploads ALL files. I can upload .php files, .exe files and even made up files.
By default Wordpress accepts .exe files (in wp-includes/functions.php there's an array with accepted mime types), but it shouldn't accept .php files, nor made up files.

Change History (4)

#1 @DD32
14 years ago

  • Component changed from Media to Upload

nor made up files.

Define "made up" files, all files are "made up" (by someone or another).

WordPress has 2 permission sets for uploads which is based on the capabilities, By default, The administrator has "unfiltered_upload", which as the name suggests, allows unfiltered uploads (doesnt care of the file type).

AFAIK, all non-admin users will be able to upload, but will be limited to the filetype list which you mentioned.

#2 @AbbeKeultjes
14 years ago

  • Priority changed from normal to lowest
  • Resolution set to worksforme
  • Status changed from new to closed

Thanks for the help. I didn´t know that an admin could upload all file types.

I would like to give my client all the permissions an admin has, except for the unlimited uploading possibilities. But I guess that's not possible without hacking the core files / database.

#3 @DD32
14 years ago

Hm, Should've mentioned this:

The plugin "Role Manager" exists (And theres a few others) which allow you to define custom User roles with custom permission sets. Its pretty much a must-have plugin type for any highly customised WP install (with backend access)

I personally dont like the coding of many of those plugins.. but hey.. they work

#4 @Viper007Bond
14 years ago

  • Milestone Unassigned deleted
Note: See TracTickets for help on using tickets.