From 94c8a5d9942edfe7e91583e4099eefc313263491 Mon Sep 17 00:00:00 2001 From: Joe McGill Date: Mon, 7 Jan 2019 20:47:56 +0000 Subject: [PATCH] Upload: Fix upload failures of common text file types. This adds some special case handling in 'wp_check_filetype_and_ext()' that prevents some common file types from being blocked based on mismatched MIME checks, which were made more strict in WordPress 5.0.1. Props Kloon, birgire, tellyworth, joemcgill. See #45615. git-svn-id: https://develop.svn.wordpress.org/trunk@44438 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/functions.php | 23 +++++++++++++- tests/phpunit/tests/functions.php | 51 ++++++++++++++++++++++++++++++- 2 files changed, 72 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index 439a2a30ce..8c209ec6bf 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -2569,10 +2569,31 @@ function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) { * This means that common mismatches are forgiven: application/vnd.apple.numbers is often misidentified as application/zip, * and some media files are commonly named with the wrong extension (.mov instead of .mp4) */ - if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) { $type = $ext = false; } + } elseif ( 'text/plain' === $real_mime ) { + // A few common file types are occasionally detected as text/plain; allow those. + if ( ! in_array( $type, array( + 'text/plain', + 'text/csv', + 'text/richtext', + 'text/tsv', + 'text/vtt', + ) ) + ) { + $type = $ext = false; + } + } elseif( 'text/rtf' === $real_mime ) { + // Special casing for RTF files. + if ( ! in_array( $type, array( + 'text/rtf', + 'text/plain', + 'application/rtf', + ) ) + ) { + $type = $ext = false; + } } else { if ( $type !== $real_mime ) { /* diff --git a/tests/phpunit/tests/functions.php b/tests/phpunit/tests/functions.php index f76c342c2f..6a7c447c28 100644 --- a/tests/phpunit/tests/functions.php +++ b/tests/phpunit/tests/functions.php @@ -1230,7 +1230,7 @@ class Tests_Functions extends WP_UnitTestCase { } /** - * Data profider for test_wp_get_image_mime(); + * Data provider for test_wp_get_image_mime(); */ public function _wp_get_image_mime() { $data = array( @@ -1336,6 +1336,55 @@ class Tests_Functions extends WP_UnitTestCase { 'proper_filename' => false, ), ), + // Non-image file not allowed even if it's named like one. + array( + DIR_TESTDATA . '/export/crazy-cdata.xml', + 'crazy-cdata.jpg', + array( + 'ext' => false, + 'type' => false, + 'proper_filename' => false, + ), + ), + // Non-image file not allowed if it's named like something else. + array( + DIR_TESTDATA . '/export/crazy-cdata.xml', + 'crazy-cdata.doc', + array( + 'ext' => false, + 'type' => false, + 'proper_filename' => false, + ), + ), + // Assorted text/* sample files + array( + DIR_TESTDATA . '/uploads/test.vtt', + 'test.vtt', + array( + 'ext' => 'vtt', + 'type' => 'text/vtt', + 'proper_filename' => false, + ), + ), + array( + DIR_TESTDATA . '/uploads/test.csv', + 'test.csv', + array( + 'ext' => 'csv', + 'type' => 'text/csv', + 'proper_filename' => false, + ), + ), + // RTF files. + array( + DIR_TESTDATA . '/uploads/test.rtf', + 'test.rtf', + array( + 'ext' => 'rtf', + 'type' => 'application/rtf', + 'proper_filename' => false, + ), + ), ); // Test a few additional file types on single sites.