[wp-trac] [WordPress Trac] #50136: Files types not included in Upload file types are allowed to be uploaded because of loose file extension check
WordPress Trac
noreply at wordpress.org
Sat May 9 14:27:00 UTC 2020
#50136: Files types not included in Upload file types are allowed to be uploaded
because of loose file extension check
--------------------------+-----------------------------
Reporter: Nikschavan | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: multisite |
--------------------------+-----------------------------
A loose file-extension check in WordPress allows an extended number of
file-types to be uploaded despite not be mentioned in Upload file types
setting in a multisite.
This happens because the condition to check the file extensions passes
even if part of the extension passes.
([https://github.com/WordPress/WordPress/blob/cad04902d6a162ba8320f82a6c65c7eb58cf9759
/wp-includes/ms-functions.php#L1814 Code Link])
Steps To Reproduce:
On a WordPress Multisite -
1. Navigate to the Network settings, Add file type tx to the setting
Upload file types
2. On any sub-sites, try to upload a .txt file and it should be uploaded.
3. Any file extension has to match in just part with the extensions
allowed in the network setting to be allowed to be uploaded.
For example - If you add `xls` file type files `xlsm`, `xlsx` ,`xlsb` etc.
are allowed to be uploaded.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50136>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list