[wp-trac] [WordPress Trac] #50136: Files types not included in Upload file types are allowed to be uploaded because of loose file extension check
WordPress Trac
noreply at wordpress.org
Wed May 13 01:22:52 UTC 2020
#50136: Files types not included in Upload file types are allowed to be uploaded
because of loose file extension check
--------------------------+------------------------------
Reporter: Nikschavan | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: | Focuses: multisite
--------------------------+------------------------------
Comment (by dd32):
Replying to [comment:6 ayeshrajans]:
> I don't know if we can get the file name passed to the
`check_upload_mimes` function, because it looks like this function is
supposed to return an allow-list of file mimes from the configuration, and
functionality down stream will check the extension.
Correct, there's no need for the filename extension here, only the allowed
list from the option.
> This makes it not possible to unit test it, so I refactored it to
`filter_upload_mimes` function that takes array of mimes _and_ the allowed
extensions as a string.
It's still possible to unit test it, you simply need to either set the
option prior to calling the function (The unit tests should take care of
resetting that) or use a `pre_option` filter.
My problem with [attachment:"50136.patch"] was primarily that it's a new
function just for unit testing purposes, and using `\b` to match within a
string which itself is intended to be used as a regular expression
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50136#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list