[wp-hackers] is wp_check_filetype() stupid?
Omry Yadan
omry at yadan.net
Sun Jun 17 05:27:45 GMT 2007
>From the security point of view, white listing is a much better alternative.
Abel Cheung wrote:
> I just noticed I can't upload any patch file to wordpress; wondering why,
> it leads me to this snippet:
>
> function wp_check_filetype($filename, $mimes = null) {
> // Accepted MIME types are set here as PCRE unless provided.
> $mimes = is_array($mimes) ? $mimes :
> apply_filters('upload_mimes', array (
> 'jpg|jpeg|jpe' => 'image/jpeg',
> 'gif' => 'image/gif',
> 'png' => 'image/png',
> 'bmp' => 'image/bmp',
> 'tif|tiff' => 'image/tiff',
> ......
>
> Is it _vital_ to list all possible mime types this way, instead of
> blacklisting some?
> Right now:
>
> - No patch (ending in .patch or .diff) can be uploaded.
> - Not to mention ALL OpenDocument formats and PostScript
> - Nor can certain multimedia formats be uploaded, like .flv (flash
> movie),
> .ape (monkey's audio), and a zillion others
> - As well as quite a few compression formats like .bz2, .7z, .arj,
> .rar, ......
> - And package formats like .rpm, .deb, .msi, .......
> - Anybody want me to list 100 more?
>
> I'd suggest blacklisting rather than whitelisting, it's infinitely
> tiresome.
>
> Abel
More information about the wp-hackers
mailing list