[wp-trac] [WordPress Trac] #55563: The function get_allowed_mime_types should check wp_get_current_user

WordPress Trac noreply at wordpress.org
Tue Apr 12 10:19:16 UTC 2022

#55563: The function get_allowed_mime_types should check wp_get_current_user
 Reporter:  giuse         |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Formatting    |    Version:  5.9.3
 Severity:  normal        |   Keywords:  dev-feedback
  Focuses:                |
 The function get_allowed_mime_types checks if the function
 current_user_can before using it, as you can see at

 The function current_user_can calls wp_get_current_user, as you can see at

 If the function get_allowed_mime_types is called when wp_get_current_user
 doesn't exist yet, it triggers a fatal error.

 I think get_allowed_mime_types should check also if wp_get_current_user
 exist. I would write something like this:

 function get_allowed_mime_types( $user = null ) {
     $t = wp_get_mime_types();

     unset( $t['swf'], $t['exe'] );
     if ( function_exists( 'current_user_can' ) && function_exists(
 'wp_get_current_user' ) ) {
         $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) :
 current_user_can( 'unfiltered_html' );

     if ( empty( $unfiltered ) ) {
         unset( $t['htm|html'], $t['js'] );

      * Filters list of allowed mime types and file extensions.
      * @since 2.0.0
      * @param array            $t    Mime types keyed by the file
 extension regex corresponding to those types.
      * @param int|WP_User|null $user User ID, User object or null if not
 provided (indicates current user).
     return apply_filters( 'upload_mimes', $t, $user );

 The function wp_get_current_user is defined in wp-includes/plugguble.php,
 so after all, plugins are loaded. This means that if you call
 sanitize_file_name inside a nu-plugin, or before the action
 'plugin_loaded', you have the fatal error.

Ticket URL: <https://core.trac.wordpress.org/ticket/55563>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list