[wp-trac] [WordPress Trac] #40175: Upload Validation / MIME Handling
WordPress Trac
noreply at wordpress.org
Thu Jul 13 20:10:50 UTC 2017
#40175: Upload Validation / MIME Handling
-------------------------------------------------+-------------------------
Reporter: blobfolio | Owner: joemcgill
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: Awaiting
Component: Media | Review
Severity: critical | Version: 4.7.3
Keywords: has-unit-tests has-patch needs- | Resolution:
testing | Focuses:
| administration
-------------------------------------------------+-------------------------
Changes (by blobfolio):
* keywords: => has-unit-tests has-patch needs-testing
Comment:
This is a long thread, so here's a quick summary:
In response to a security issue, WordPress `4.7.1` added some content-
based evaluations for uploaded media. That implementation affects any file
that PHP says is `application/*`. Because PHP is not very good or
consistent at this type of detection, a lot of legitimate files are also
being blocked.
This patch instead switches to a "greylist" system, containing explicit
extensions and MIMEs (any extension can have multiple types) deserving
further scrutiny. When a file is uploaded, the content-derived type is
compared against the greylist, and if it matches, only then will it dive
deeper and maybe block the upload.
This approach both limits collateral damage and helps WP find more of the
sorts of files it was looking for in the first place.
What we need now are some eyeballs!
Please and thank you!
PS: Just be sure to temporarily disable `Lord of the Files` if your test
site has that installed. (And don't forget to reactivate it afterwards; it
contains a number of other file-related security improvements unrelated to
this ticket. Haha.)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40175#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list