[wp-trac] [WordPress Trac] #17061: media_sideload_image() allows upload of 301-redirected non-images
WordPress Trac
wp-trac at lists.automattic.com
Wed Apr 6 14:39:09 UTC 2011
#17061: media_sideload_image() allows upload of 301-redirected non-images
--------------------------+-----------------------------
Reporter: Coolkevman | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: HTTP | Version: 3.1.1
Severity: normal | Keywords:
--------------------------+-----------------------------
When you give {{{media_sideload_image()}}} URLs that are not images, an
error is raised.
If for example I do:
{{{
media_sideload_image("http://google.com", $post_id, $img_desc);
}}}
then I get this error:
{{{
Sorry, this file type is not permitted for security reasons.
}}}
And this is absolutely normal and expected.
But there is a case when {{{media_sideload_image()}}} do not detect non-
images. This case is when the URL given to the function looks like an
image but is redirected by Apache to another place.
For example, on my server, this URL:
{{{
http://coolcavemen.com/e107_plugins/autogallery/Gallery/default.jpg
}}}
redirects to:
{{{
http://coolcavemen.com/photos/
}}}
Now if in some PHP code I do:
{{{
media_sideload_image("http://coolcavemen.com/e107_plugins/autogallery/Gallery/default.jpg",
$post_id, $img_desc);
}}}
then no error is raised and I end up with the HTML served at
{{{http://coolcavemen.com/photos/}}} being uploaded to my WordPress site
as-is:
{{{
kevin at kev-laptop$ file ./wp-content/uploads/2011/04/default.jpg
./wp-content/uploads/2011/04/default.jpg: HTML document text
}}}
Of course this upload appears broken in the media manager, as you can see
in this screenshot: http://twitpic.com/4hlyks
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17061>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list