[wp-trac] [WordPress Trac] #40078: Lingering issues with office files

WordPress Trac noreply at wordpress.org
Thu Mar 9 13:22:19 UTC 2017 

#40078: Lingering issues with office files
--------------------------+-----------------------------
 Reporter:  Bryan_B       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Upload        |    Version:  4.7.3
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 This is a follow-up to #39550.

 There are still lingering issues regarding office files and MIME type
 checking. PPT files resolve as generic application/vnd.ms-office even when
 saved directly from powerpoint for MAC. PPTX/DOCX/XLSX resolve to
 application/zip files which is a perfectly valid interpretation of those
 file formats - so multisites need zip files whitelisted to pass the MIME
 check on those. I've had to resolve octet-stream by providing a dummy file
 extension entry with that as the MIME type.

 Ultimately, magic MIME checks in PHP's file are not reliable enough across
 installations to really consider 4.7.3 a resolution to the problem.

 Anyone managing a multisite on behalf of a large number of clients will
 not sufficiently be able to use education of users and spot fixes for
 these issues. As far as users are concerned their perfectly valid files
 are being rejected for no good reason. Whether because they downloaded the
 file and the server served it up as octet-stream, or their application is
 saving them with incorrect MIME types, or the magic mime file does not
 resolve to the proper format.

 It might be beneficial to include a new field in settings for MIME
 whitelist (similar to the way multisite whitelists file extensions) and
 ONLY check finfo real mime type against this list. The array could be pre-
 populated from get_allowed_mime_types but merge in custom entries for the
 finfo check. Allowing admins to whitelist non-standard, but valid, MIME
 types and still allow WordPress to provide behavior protecting against
 files lying about their contents.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40078>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list