[wp-trac] [WordPress Trac] #17454: get_allowed_mime_types() does not return correct data
WordPress Trac
wp-trac at lists.automattic.com
Mon May 16 13:49:27 UTC 2011
#17454: get_allowed_mime_types() does not return correct data
--------------------------+-----------------------------
Reporter: MungoBBQ | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.1.2
Severity: major | Keywords:
--------------------------+-----------------------------
Hello,
I am the developer of the "Enable Media Replace" plugin. A while back, my
plugin was flagged as "insecure" by a couple of online watchlists, since
the plugin did not check what files were uploaded to replace files. A user
could then upload a .php-file and execute it. Bad idea.
So I had to resort to using get_allowed_mime_types() to check for an
allowed MIME type before writing an uploaded file to disk. It works fine,
except get_allowed_mime_types does not include MIME types added by a
filter such as "add_filter('upload_mimes', 'addUploadMimes');"
See http://wordpress.org/support/topic/plugin-enable-media-replace-file-
type-does-not-meet-security-guidelines for a discussion with some users
experiencing problems.
I suggest that the function "get_allowed_mime_types" should return ALL
allowed MIME types - including those added by a filter in functions.php or
a plugin.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17454>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list