From ba1682a270a1d2400c1c9249089e9218de8e0e9a Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Sat, 10 Nov 2012 05:36:37 +0000
Subject: [PATCH] Don't allow non-image uploads for custom headers and
 backgrounds. props kovshenin. fixes #22149.

git-svn-id: https://develop.svn.wordpress.org/trunk@22521 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-admin/custom-background.php     |  8 +++++++-
 wp-admin/custom-header.php         |  8 +++++++-
 wp-admin/includes/ajax-actions.php | 11 +++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/wp-admin/custom-background.php b/wp-admin/custom-background.php
index 6b0a111266..447176e752 100644
--- a/wp-admin/custom-background.php
+++ b/wp-admin/custom-background.php
@@ -355,7 +355,13 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
 
 		check_admin_referer('custom-background-upload', '_wpnonce-custom-background-upload');
 		$overrides = array('test_form' => false);
-		$file = wp_handle_upload($_FILES['import'], $overrides);
+
+		$uploaded_file = $_FILES['import'];
+		$wp_filetype = wp_check_filetype_and_ext( $uploaded_file['tmp_name'], $uploaded_file['name'], false );
+		if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) )
+			wp_die( __( 'The uploaded file is not a valid image. Please try again.' ) );
+
+		$file = wp_handle_upload($uploaded_file, $overrides);
 
 		if ( isset($file['error']) )
 			wp_die( $file['error'] );
diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php
index 85a22dceba..6c16328845 100644
--- a/wp-admin/custom-header.php
+++ b/wp-admin/custom-header.php
@@ -768,7 +768,13 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
 	 */
 	function step_2_manage_upload() {
 		$overrides = array('test_form' => false);
-		$file = wp_handle_upload($_FILES['import'], $overrides);
+
+		$uploaded_file = $_FILES['import'];
+		$wp_filetype = wp_check_filetype_and_ext( $uploaded_file['tmp_name'], $uploaded_file['name'], false );
+		if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) )
+			wp_die( __( 'The uploaded file is not a valid image. Please try again.' ) );
+
+		$file = wp_handle_upload($uploaded_file, $overrides);
 
 		if ( isset($file['error']) )
 			wp_die( $file['error'],  __( 'Image Upload Error' ) );
diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php
index 53bfe328fc..4dd8b17605 100644
--- a/wp-admin/includes/ajax-actions.php
+++ b/wp-admin/includes/ajax-actions.php
@@ -1609,6 +1609,17 @@ function wp_ajax_upload_attachment() {
 
 	$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
 
+	// If the context is custom header or background, make sure the uploaded file is an image.
+	if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
+		$wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'], false );
+		if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) {
+			wp_send_json_error( array(
+				'message' => __( 'The uploaded file is not a valid image. Please try again.' ),
+				'filename' => $_FILES['async-upload']['name'],
+			) );
+		}
+	}
+
 	$attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data );
 
 	if ( is_wp_error( $attachment_id ) ) {