diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 1827dd76fc..c0bd2004b4 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -2332,17 +2332,52 @@ function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) { $real_mime = finfo_file( $finfo, $file ); finfo_close( $finfo ); - /* - * If $real_mime doesn't match what we're expecting, we need to do some extra - * vetting of application mime types to make sure this type of file is allowed. - * Other mime types are assumed to be safe, but should be considered unverified. - */ - if ( $real_mime && ( $real_mime !== $type ) && ( 0 === strpos( $real_mime, 'application' ) ) ) { - $allowed = get_allowed_mime_types(); + // fileinfo often misidentifies obscure files as one of these types + $nonspecific_types = array( + 'application/octet-stream', + 'application/encrypted', + 'application/CDFV2-encrypted', + 'application/zip', + ); - if ( ! in_array( $real_mime, $allowed ) ) { + /* + * If $real_mime doesn't match the content type we're expecting from the file's extension, + * we need to do some additional vetting. Media types and those listed in $nonspecific_types are + * allowed some leeway, but anything else must exactly match the real content type. + */ + if ( in_array( $real_mime, $nonspecific_types, true ) ) { + // File is a non-specific binary type. That's ok if it's a type that generally tends to be binary. + if ( !in_array( substr( $type, 0, strcspn( $type, '/' ) ), array( 'application', 'video', 'audio' ) ) ) { $type = $ext = false; } + } elseif ( 0 === strpos( $real_mime, 'video/' ) || 0 === strpos( $real_mime, 'audio/' ) ) { + /* + * For these types, only the major type must match the real value. + * This means that common mismatches are forgiven: application/vnd.apple.numbers is often misidentified as application/zip, + * and some media files are commonly named with the wrong extension (.mov instead of .mp4) + */ + + if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) { + $type = $ext = false; + } + } else { + if ( $type !== $real_mime ) { + /* + * Everything else including image/* and application/*: + * If the real content type doesn't match the file extension, assume it's dangerous. + */ + $type = $ext = false; + } + + } + } + + // The mime type must be allowed + if ( $type ) { + $allowed = get_allowed_mime_types(); + + if ( ! in_array( $type, $allowed ) ) { + $type = $ext = false; } }