[wp-trac] [WordPress Trac] #39550: Some Non-image files fail to upload after 4.7.1

WordPress Trac noreply at wordpress.org
Tue Feb 28 16:16:15 UTC 2017 

#39550: Some Non-image files fail to upload after 4.7.1
---------------------------+------------------------
 Reporter:  greatislander  |       Owner:  joemcgill
     Type:  defect (bug)   |      Status:  closed
 Priority:  normal         |   Milestone:  4.7.3
Component:  Upload         |     Version:  4.7.1
 Severity:  critical       |  Resolution:  fixed
 Keywords:  fixed-major    |     Focuses:
---------------------------+------------------------

Comment (by blobfolio):

 Replying to [comment:130 Blue Liquid Designs]:
 > Just an educated assumption, but there's likely going to be edge cases
 between environments that will cause incorrect mime type issues when using
 the default PHP magic database with `finfo_open`.

 Your assumption is correct, @Blue Liquid Designs. However `finfo`'s role
 in the upload validation process has been greatly reduced by @joemcgill's
 patch. It's not about finding a definitive, content-based type assignment
 for every single file (the results of which will vary widely across
 environments), so much as weeding out a few intentional corruptions.

 > To get around this problem, it might be worth considering shipping
 WordPress with it's own magic database and passing that to parameter two
 of `finfo_open`. This is exactly what
 [https://www.drupal.org/project/mimedetect Drupal 7 does with their
 MimeDetect module and FileField].

 Both WordPress and Drupal already ship with a hardcoded list of 1:1 MIME
 data for whitelisted/common file types, but the larger issue is that a
 single MIME type doesn't reflect reality. Even if other MIME-knowing
 segments are ignored (PHP, server software, operating systems, browsers,
 etc.), there would still be compatibility-breaking issues as standards
 evolve across time (`.woff`, for example, has had about a half dozen MIME
 types over the past few years).

 A more future-proof approach (in the works #39963) would be to map MIME
 aliases, past, present, and vernacular. In this way, regardless of how a
 MIME type is arrived at (be it name-based, `finfo`, user input, or even
 dangerous OS `exec()` stuff like Drupal supports), it can be relatable to
 a 1:1 whitelist and handled accordingly.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39550#comment:131>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list