[wp-trac] [WordPress Trac] #39550: Some Non-image files fail to upload after 4.7.1 (was: Non-image files with the application/octet-stream mime type cannot be uploaded)

WordPress Trac noreply at wordpress.org
Thu Jan 12 15:09:08 UTC 2017 

#39550: Some Non-image files fail to upload after 4.7.1
---------------------------+------------------------
 Reporter:  greatislander  |       Owner:  joemcgill
     Type:  defect (bug)   |      Status:  assigned
 Priority:  normal         |   Milestone:  4.7.2
Component:  Upload         |     Version:  trunk
 Severity:  normal         |  Resolution:
 Keywords:  needs-patch    |     Focuses:
---------------------------+------------------------
Changes (by joemcgill):

 * status:  new => assigned
 * focuses:  administration =>
 * owner:   => joemcgill
 * keywords:   => needs-patch


Old description:

> Since [39831], a valid Word document (with the `.docx` extension) which
> has the `application/octet-stream` mime type can no longer be uploaded as
> the comparison in [https://core.trac.wordpress.org/browser/trunk/src/wp-
> includes/functions.php?rev=39831#L2324 this block] will fail.
>
> A Word document can end up with this mime type when downloaded from a web
> server (this happens on GitHub, and I'm sure many other places) or when
> exported from an application other than Microsoft Word (e.g. Apple Pages,
> macOS 10.12).
>
> There are certainly security considerations around modifying this
> behaviour, but as it stands, this change appears to be a regression from
> earlier versions, as many valid files can no longer be uploaded.

New description:

 '''UPDATE:''' This issue affects more than just Word documents as
 initially reported. This ticket can be used to track related issues with
 all non-image files failing to load after 4.7.1 with an error message of
 `Sorry, this file type is not permitted for security reasons`.

 ===

 Since [39831], a valid Word document (with the `.docx` extension) which
 has the `application/octet-stream` mime type can no longer be uploaded as
 the comparison in [https://core.trac.wordpress.org/browser/trunk/src/wp-
 includes/functions.php?rev=39831#L2324 this block] will fail.

 A Word document can end up with this mime type when downloaded from a web
 server (this happens on GitHub, and I'm sure many other places) or when
 exported from an application other than Microsoft Word (e.g. Apple Pages,
 macOS 10.12).

 There are certainly security considerations around modifying this
 behaviour, but as it stands, this change appears to be a regression from
 earlier versions, as many valid files can no longer be uploaded.

--

Comment:

 @greatislander Thanks for the report. You're correct that [39831]
 introduced more strict filetype checking in 4.7.1, which is resulting in
 previously valid uploads to fail. As @sterndata noted, setting
 `define( 'ALLOW_UNFILTERED_UPLOADS', true );` is a short term workaround,
 but one that should only be taken if you trust the users of your site not
 to upload insecure files.

 In the mean time, it would help use test potential fixes for this issue by
 uploading or linking to example files that were previously working, but no
 longer are.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39550#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list