[wp-trac] [WordPress Trac] #17454: get_allowed_mime_types() does not return correct data

WordPress Trac wp-trac at lists.automattic.com
Mon May 16 13:49:27 UTC 2011


#17454: get_allowed_mime_types() does not return correct data
--------------------------+-----------------------------
 Reporter:  MungoBBQ      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  3.1.2
 Severity:  major         |   Keywords:
--------------------------+-----------------------------
 Hello,

 I am the developer of the "Enable Media Replace" plugin. A while back, my
 plugin was flagged as "insecure" by a couple of online watchlists, since
 the plugin did not check what files were uploaded to replace files. A user
 could then upload a .php-file and execute it. Bad idea.

 So I had to resort to using get_allowed_mime_types() to check for an
 allowed MIME type before writing an uploaded file to disk. It works fine,
 except get_allowed_mime_types does not include MIME types added by a
 filter such as "add_filter('upload_mimes', 'addUploadMimes');"

 See http://wordpress.org/support/topic/plugin-enable-media-replace-file-
 type-does-not-meet-security-guidelines for a discussion with some users
 experiencing problems.

 I suggest that the function "get_allowed_mime_types" should return ALL
 allowed MIME types - including those added by a filter in functions.php or
 a plugin.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17454>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list