From 246a70bdbfac3bd45ff71c7941deef1bb206b19a Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Wed, 12 Dec 2018 23:01:47 +0000 Subject: [PATCH] Media: Improve verification of MIME file types. Built from https://develop.svn.wordpress.org/branches/5.0@43988 git-svn-id: http://core.svn.wordpress.org/branches/5.0@43820 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/functions.php | 51 +++++++++++++++++++++++++++++++++------ wp-includes/version.php | 2 +- 2 files changed, 44 insertions(+), 9 deletions(-) diff --git a/wp-includes/functions.php b/wp-includes/functions.php index c44685e604..d4af13f2a8 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -2349,17 +2349,52 @@ function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) { $real_mime = finfo_file( $finfo, $file ); finfo_close( $finfo ); - /* - * If $real_mime doesn't match what we're expecting, we need to do some extra - * vetting of application mime types to make sure this type of file is allowed. - * Other mime types are assumed to be safe, but should be considered unverified. - */ - if ( $real_mime && ( $real_mime !== $type ) && ( 0 === strpos( $real_mime, 'application' ) ) ) { - $allowed = get_allowed_mime_types(); + // fileinfo often misidentifies obscure files as one of these types + $nonspecific_types = array( + 'application/octet-stream', + 'application/encrypted', + 'application/CDFV2-encrypted', + 'application/zip', + ); - if ( ! in_array( $real_mime, $allowed ) ) { + /* + * If $real_mime doesn't match the content type we're expecting from the file's extension, + * we need to do some additional vetting. Media types and those listed in $nonspecific_types are + * allowed some leeway, but anything else must exactly match the real content type. + */ + if ( in_array( $real_mime, $nonspecific_types, true ) ) { + // File is a non-specific binary type. That's ok if it's a type that generally tends to be binary. + if ( !in_array( substr( $type, 0, strcspn( $type, '/' ) ), array( 'application', 'video', 'audio' ) ) ) { $type = $ext = false; } + } elseif ( 0 === strpos( $real_mime, 'video/' ) || 0 === strpos( $real_mime, 'audio/' ) ) { + /* + * For these types, only the major type must match the real value. + * This means that common mismatches are forgiven: application/vnd.apple.numbers is often misidentified as application/zip, + * and some media files are commonly named with the wrong extension (.mov instead of .mp4) + */ + + if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) { + $type = $ext = false; + } + } else { + if ( $type !== $real_mime ) { + /* + * Everything else including image/* and application/*: + * If the real content type doesn't match the file extension, assume it's dangerous. + */ + $type = $ext = false; + } + + } + } + + // The mime type must be allowed + if ( $type ) { + $allowed = get_allowed_mime_types(); + + if ( ! in_array( $type, $allowed ) ) { + $type = $ext = false; } } diff --git a/wp-includes/version.php b/wp-includes/version.php index d85ed13667..68c9277381 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '5.0.1-alpha-43972'; +$wp_version = '5.0.1-alpha-43988'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.