[wp-trac] [WordPress Trac] #40175: Upload Validation / MIME Handling

WordPress Trac noreply at wordpress.org
Fri Mar 17 14:20:13 UTC 2017 

#40175: Upload Validation / MIME Handling
--------------------------+------------------------------
 Reporter:  blobfolio     |       Owner:  joemcgill
     Type:  defect (bug)  |      Status:  accepted
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Media         |     Version:  4.7.3
 Severity:  critical      |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------

Comment (by blobfolio):

 Replying to [comment:5 joemcgill]:
 > It's probably helpful to define some base assumptions here. Before
 [39831], WordPress essentially trusted that all uploaded files were
 exactly what they claimed to be, based on the file extension.

 I agree.

 Prior to 4.7.1, WordPress itself was the only source of information about
 a file's media type, so all file handling had a predictable framework to
 deal with. But now that an outside source of information has been added
 (two actually), we've crossed the Rubicon.

 If ''any'' amount of outside information is to be used by WordPress, there
 needs to be a system in place to reconcile that information with
 WordPress' own whitelisting system. Otherwise any contradiction will
 result in failure.

 That isn't addressed by '''(1)''', however limiting the amount of outside
 information being used for validation will result in fewer innocent files
 being mistakenly caught in the net.

 '''(2)''' tackles the problem directly by acting as a sort of Babel Fish,
 and will help futureproof the platform. It also affords opportunities for
 later enhancements, such as more aggressive upload validation or '''(3)'''
 below.

 '''(3)''' is more of an enhancement than an immediate fix to the problem.
 It would be helpful for data consistency, but would create conflicts with
 existing sites and plugins that have extended their whitelists (unless we
 have '''(2)''' already in place).

 >From what I can tell, this was mainly a UX improvement when working with
 images, to avoid editor errors and was not strict about allowing uploads
 based on actual mime types.

 Definitely. (Correctly) renaming images before handing them off to the
 thumbnail components is necessary to avoid errors. Insofar as I can tell,
 this piece has worked as expected since 4.7.1.

 The only image-related upload validation issues were due to unusual types
 like WEBP or SVG that individuals may have added to their whitelists.
 #39550 fixed that, except in cases where the server returns an (incorrect)
 `application/*` type for the file.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40175#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list