[wp-hackers] is wp_check_filetype() stupid?

[Peter Westwood]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Abel Cheung wrote:
> I just noticed I can't upload any patch file to wordpress; wondering why,
> it leads me to this snippet:
> 
> function wp_check_filetype($filename, $mimes = null) {
>        // Accepted MIME types are set here as PCRE unless provided.
>        $mimes = is_array($mimes) ? $mimes :
> apply_filters('upload_mimes', array (
>                'jpg|jpeg|jpe' => 'image/jpeg',
>                'gif' => 'image/gif',
>                'png' => 'image/png',
>                'bmp' => 'image/bmp',
>                'tif|tiff' => 'image/tiff',
>                ......
> 
> Is it _vital_ to list all possible mime types this way, instead of
> blacklisting some?
> Right now:
> 
> - No patch (ending in .patch or .diff) can be uploaded.
> - Not to mention ALL OpenDocument formats and PostScript
> - Nor can certain multimedia formats be uploaded, like .flv (flash movie),
> .ape (monkey's audio), and a zillion others
> - As well as quite a few compression formats like .bz2, .7z, .arj, .rar,
> ......
> - And package formats like .rpm, .deb, .msi, .......
> - Anybody want me to list 100 more?
> 
> I'd suggest blacklisting rather than whitelisting, it's infinitely
> tiresome.

Whitelisting is much safer from a security point of view.

Adding extra mime-types is simple - the list is passed to the
upload_mimes filter [1] for you to easyily modify from a plugin.

At least one plugin is available to allow you to configure extra
mime_types from within WordPress [2]

[1] http://wphooks.flatearth.org/hooks/upload_mimes/
[2] http://blog.ftwr.co.uk/wordpress/mime-config/

westi
- --
Peter Westwood
http://blog.ftwr.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGdPHOVPRdzag0AcURAtkHAKDOAKZMIyZDTAH+9XsIBAY5TfdF8gCgnWrG
8KpGod2attQsH8DWYqaqRh4=
=sC+E
-----END PGP SIGNATURE-----