Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-09-28 15:17:42 +02:00
Code Issues Projects Releases Wiki Activity

Media: Reduce failing uploads following 4.7.1.

Browse Source 
[39831] introduced more strict MIME type checking for uploads, which
resulted in unintetionally blocking several filetypes that were
previously valid. This change uses  a more targeted approach to MIME
validation to restore previous behavior for most types.

Props blobfolio, iandunn, ipstenu, markoheijnen, xknown, joemcgill.
Fixes #39550, #39552.
Built from https://develop.svn.wordpress.org/trunk@40124


git-svn-id: http://core.svn.wordpress.org/trunk@40061 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Joe McGill 2017-02-25 16:08:44 +00:00
parent 454acad22e
commit 87ad9e31ab
2 changed files with 21 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
wp-includes/functions.php
View File

@ -2269,15 +2269,15 @@ function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) {
return compact( 'ext', 'type', 'proper_filename' ); return compact( 'ext', 'type', 'proper_filename' );
} }
$real_mime = false;
// Validate image types. // Validate image types.
if ( $type && 0 === strpos( $type, 'image/' ) ) { if ( $type && 0 === strpos( $type, 'image/' ) ) {
// Attempt to figure out what type of image it actually is // Attempt to figure out what type of image it actually is
$real_mime = wp_get_image_mime( $file ); $real_mime = wp_get_image_mime( $file );
if ( ! $real_mime ) { if ( $real_mime && $real_mime != $type ) {
$type = $ext = false;
} elseif ( $real_mime != $type ) {
/** /**
* Filters the list mapping image mime types to their respective extensions. * Filters the list mapping image mime types to their respective extensions.
* *
@ -2308,20 +2308,31 @@ function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) {
$ext = $wp_filetype['ext']; $ext = $wp_filetype['ext'];
$type = $wp_filetype['type']; $type = $wp_filetype['type'];
} else { } else {
$type = $ext = false; // Reset $real_mime and try validating again.
$real_mime = false;
} }
} }
} elseif ( function_exists( 'finfo_file' ) ) { }
// Use finfo_file if available to validate non-image files.
// Validate files that didn't get validated during previous checks.
if ( $type && ! $real_mime && extension_loaded( 'fileinfo' ) ) {
$finfo = finfo_open( FILEINFO_MIME_TYPE ); $finfo = finfo_open( FILEINFO_MIME_TYPE );
$real_mime = finfo_file( $finfo, $file ); $real_mime = finfo_file( $finfo, $file );
finfo_close( $finfo ); finfo_close( $finfo );
// If the extension does not match the file's real type, return false. /*
if ( $real_mime !== $type ) { * If $real_mime doesn't match what we're expecting, we need to do some extra
* vetting of application mime types to make sure this type of file is allowed.
* Other mime types are assumed to be safe, but should be considered unverified.
*/
if ( $real_mime && ( $real_mime !== $type ) && ( 0 === strpos( $real_mime, 'application' ) ) ) {
$allowed = get_allowed_mime_types();
if ( ! in_array( $real_mime, $allowed ) ) {
$type = $ext = false; $type = $ext = false;
} }
} }
}
/** /**
* Filters the "real" file type of the given file. * Filters the "real" file type of the given file.

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.8-alpha-40123'; $wp_version = '4.8-alpha-40124';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.