[wp-trac] [WordPress Trac] #55563: The function get_allowed_mime_types should check wp_get_current_user

WordPress Trac noreply at wordpress.org
Tue Apr 12 10:19:16 UTC 2022 

#55563: The function get_allowed_mime_types should check wp_get_current_user
--------------------------+-----------------------------
 Reporter:  giuse         |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Formatting    |    Version:  5.9.3
 Severity:  normal        |   Keywords:  dev-feedback
  Focuses:                |
--------------------------+-----------------------------
 The function get_allowed_mime_types checks if the function
 current_user_can before using it, as you can see at
 https://developer.wordpress.org/reference/functions/get_allowed_mime_types/.

 The function current_user_can calls wp_get_current_user, as you can see at
 https://developer.wordpress.org/reference/functions/current_user_can/

 If the function get_allowed_mime_types is called when wp_get_current_user
 doesn't exist yet, it triggers a fatal error.

 I think get_allowed_mime_types should check also if wp_get_current_user
 exist. I would write something like this:

 {{{#!php
 <?php
 function get_allowed_mime_types( $user = null ) {
     $t = wp_get_mime_types();

     unset( $t['swf'], $t['exe'] );
     if ( function_exists( 'current_user_can' ) && function_exists(
 'wp_get_current_user' ) ) {
         $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) :
 current_user_can( 'unfiltered_html' );
     }

     if ( empty( $unfiltered ) ) {
         unset( $t['htm|html'], $t['js'] );
     }

     /**
      * Filters list of allowed mime types and file extensions.
      *
      * @since 2.0.0
      *
      * @param array            $t    Mime types keyed by the file
 extension regex corresponding to those types.
      * @param int|WP_User|null $user User ID, User object or null if not
 provided (indicates current user).
      */
     return apply_filters( 'upload_mimes', $t, $user );
 }
 }}}



 The function wp_get_current_user is defined in wp-includes/plugguble.php,
 so after all, plugins are loaded. This means that if you call
 sanitize_file_name inside a nu-plugin, or before the action
 'plugin_loaded', you have the fatal error.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/55563>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list