[wp-trac] [WordPress Trac] #50136: Files types not included in Upload file types are allowed to be uploaded because of loose file extension check
WordPress Trac
noreply at wordpress.org
Mon May 11 05:25:26 UTC 2020
#50136: Files types not included in Upload file types are allowed to be uploaded
because of loose file extension check
--------------------------+------------------------------
Reporter: Nikschavan | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: | Focuses: multisite
--------------------------+------------------------------
Comment (by Nikschavan):
Hi @ayeshrajans
>This should block tx and tx* file extensions if tx in in the allow-list.
Not the other way around that txt is allowed when tx is in the allow-list.
I am not sure about this. Can you try this out once if that is the case? I
could reproduce the steps that I have mentioned where the `txt` file is
allowed when the `tx` is allowed.
Here is a test snippet - https://3v4l.org/jUQY3 This demonstrates that
over 10 file extensions are allowed when `tx xls` files are only approved.
It can be seen that `pptx`, `potx` are allowed as they match `tx` in the
above-mentioned condition.
>!preg_match('/\b' . preg_quote($ext, '/') . '\b/i') would be a better
check.
One thing to note is - There are also file extension groups, eg
`onetoc|onetoc2|onetmp|onepkg` from which anyone extension can be matched.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50136#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list