[wp-trac] [WordPress Trac] #50136: Files types not included in Upload file types are allowed to be uploaded because of loose file extension check

WordPress Trac noreply at wordpress.org
Sat May 9 14:27:00 UTC 2020


#50136: Files types not included in Upload file types are allowed to be uploaded
because of loose file extension check
--------------------------+-----------------------------
 Reporter:  Nikschavan    |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:  multisite     |
--------------------------+-----------------------------
 A loose file-extension check in WordPress allows an extended number of
 file-types to be uploaded despite not be mentioned in Upload file types
 setting in a multisite.

 This happens because the condition to check the file extensions passes
 even if part of the extension passes.
 ([https://github.com/WordPress/WordPress/blob/cad04902d6a162ba8320f82a6c65c7eb58cf9759
 /wp-includes/ms-functions.php#L1814 Code Link])

 Steps To Reproduce:
 On a WordPress Multisite -

 1. Navigate to the Network settings, Add file type tx to the setting
 Upload file types
 2. On any sub-sites, try to upload a .txt file and it should be uploaded.
 3. Any file extension has to match in just part with the extensions
 allowed in the network setting to be allowed to be uploaded.
 For example - If you add `xls` file type files `xlsm`, `xlsx` ,`xlsb` etc.
 are allowed to be uploaded.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50136>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list