[wp-trac] [WordPress Trac] #40175: Upload Validation / MIME Handling
WordPress Trac
noreply at wordpress.org
Thu Mar 16 21:37:12 UTC 2017
#40175: Upload Validation / MIME Handling
--------------------------+-----------------------------
Reporter: blobfolio | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Media | Version: 4.7.3
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
A security fix implemented in WordPress `4.7.1` relies on a PHP extension
(`fileinfo`) with inconsistent reporting behavior. As a result, many users
(even after #39550) trying to upload various types of files (office
documents, multimedia, fonts, etc.) have received validation errors.
In a nutshell, this is because the media types returned by `fileinfo` vary
from server to server and file to file. If PHP returns a media type
beginning `application/*`, that media type must be whitelisted or the
result will fail.
Because most incorrect/historical answers from `fileinfo` begin
`application/*`, this is resulting in a large number of false-positives.
There are three main ways to address this, with a combination approach
being preferred:
'''1)''' The conditional in `wp_check_filetype_and_ext` could be
restricted so that rather than searching `application/*` broadly, it looks
only at the narrow file types at the heart of the original security issue.
'''This option requires review from the Security Team.'''
'''2)''' The WordPress Core could be extended to provide "MIME alias"
awareness. This would allow WordPress to properly match a given
extension/MIME pairing even in cases where the MIME type is historically
valid, but not the singular type in the whitelist. See #39963 for related
information.
'''3)''' WP could be extended to maintain its own `mime.types` file, which
can be passed to `fileinfo`, providing more consistent responses. '''This
option requires the MIME alias handling to avoid breaking sites or plugins
which hook into `upload_mimes`.'''
'''Duplicate/related tickets are being collapsed into this thread. Please
continue all related discussion here.'''
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40175>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list