[wp-trac] [WordPress Trac] #40175: Upload Validation / MIME Handling

WordPress Trac noreply at wordpress.org
Thu Apr 30 17:14:23 UTC 2020 

#40175: Upload Validation / MIME Handling
-------------------------------------------------+-------------------------
 Reporter:  blobfolio                            |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  high                                 |   Milestone:  Future
                                                 |  Release
Component:  Media                                |     Version:  4.7.3
 Severity:  major                                |  Resolution:
 Keywords:  has-unit-tests early needs-dev-note  |     Focuses:
                                                 |  administration
-------------------------------------------------+-------------------------

Comment (by clok):

 Wanted to add another file extension/type failing for me that I haven't
 seen reported yet:
 test.css => text/css based on the array, but fileinfo is returning it as
 text/plain
 WordPress 5.2.3
 PHP 7.3.17 (Remi's)

 Any CSS file will do.  Adding text/css to the array within functions.php
 in the "elseif ( 'text/plain' === $real_mime )" code block will make it
 work again.

 The troubling part about this bug (and its perpetual delay for a more
 perfect solution) for me is that while the logic changed to explicitly
 deny files whose extensions don't match their determined mime type, the
 interface for whitelisting didn't. So in vanilla multisite WordPress I am
 told I can state I want to allow "css" file extension uploads, but the
 code doesn't care because the file itself doesn't match behind the scenes
 and all I'm told is "not allowed for security reasons".  If I had a field
 for telling it the mime types I want to allow matched with their
 extensions and/or the error was more explicit about what mime type my file
 was diagnosed as and thus why it was excluded, then I would have recourse
 without waiting for the solution to be implemented.  I could add my own
 workarounds as needed for whatever obscure combination of mime type and
 file extension is holding up each of our work (and to be honest, uploading
 CSS files to WordPress isn't exactly obscure in my mind...).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/40175#comment:80>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list