Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-11-12 13:44:21 +01:00
Code Issues Projects Releases Wiki Activity

Don't allow non-image uploads for custom headers and backgrounds. props kovshenin. fixes #22149.

Browse Source 
git-svn-id: http://core.svn.wordpress.org/trunk@22521 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Nacin 2012-11-10 05:36:37 +00:00
parent 2d13e264a4
commit e14ff50cfb
3 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
wp-admin/custom-background.php
View File

@ -355,7 +355,13 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
check_admin_referer('custom-background-upload', '_wpnonce-custom-background-upload');
$overrides = array('test_form' => false);
$file = wp_handle_upload($_FILES['import'], $overrides);
$uploaded_file = $_FILES['import'];
$wp_filetype = wp_check_filetype_and_ext( $uploaded_file['tmp_name'], $uploaded_file['name'], false );
if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) )
wp_die( __( 'The uploaded file is not a valid image. Please try again.' ) );
$file = wp_handle_upload($uploaded_file, $overrides);
if ( isset($file['error']) )
wp_die( $file['error'] );

8
wp-admin/custom-header.php
View File

@ -768,7 +768,13 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
*/
function step_2_manage_upload() {
$overrides = array('test_form' => false);
$file = wp_handle_upload($_FILES['import'], $overrides);
$uploaded_file = $_FILES['import'];
$wp_filetype = wp_check_filetype_and_ext( $uploaded_file['tmp_name'], $uploaded_file['name'], false );
if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) )
wp_die( __( 'The uploaded file is not a valid image. Please try again.' ) );
$file = wp_handle_upload($uploaded_file, $overrides);
if ( isset($file['error']) )
wp_die( $file['error'], __( 'Image Upload Error' ) );

11
wp-admin/includes/ajax-actions.php
View File

@ -1609,6 +1609,17 @@ function wp_ajax_upload_attachment() {
$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
// If the context is custom header or background, make sure the uploaded file is an image.
if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
$wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'], false );
if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) {
wp_send_json_error( array(
'message' => __( 'The uploaded file is not a valid image. Please try again.' ),
'filename' => $_FILES['async-upload']['name'],
) );
}
}
$attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data );
if ( is_wp_error( $attachment_id ) ) {