sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't allow non-image uploads for custom headers and backgrounds. props kovshenin. fixes #22149.

Browse Source 
git-svn-id: https://develop.svn.wordpress.org/trunk@22521 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin 2012-11-10 05:36:37 +00:00
parent 86a132fe2b
commit ba1682a270
3 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
wp-admin/custom-background.php
View File

@ -355,7 +355,13 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
check_admin_referer('custom-background-upload', '_wpnonce-custom-background-upload'); check_admin_referer('custom-background-upload', '_wpnonce-custom-background-upload');
$overrides = array('test_form' => false); $overrides = array('test_form' => false);
$file = wp_handle_upload($_FILES['import'], $overrides);
$uploaded_file = $_FILES['import'];
$wp_filetype = wp_check_filetype_and_ext( $uploaded_file['tmp_name'], $uploaded_file['name'], false );
if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) )
wp_die( __( 'The uploaded file is not a valid image. Please try again.' ) );
$file = wp_handle_upload($uploaded_file, $overrides);
if ( isset($file['error']) ) if ( isset($file['error']) )
wp_die( $file['error'] ); wp_die( $file['error'] );

8
wp-admin/custom-header.php
View File

@ -768,7 +768,13 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
*/ */
function step_2_manage_upload() { function step_2_manage_upload() {
$overrides = array('test_form' => false); $overrides = array('test_form' => false);
$file = wp_handle_upload($_FILES['import'], $overrides);
$uploaded_file = $_FILES['import'];
$wp_filetype = wp_check_filetype_and_ext( $uploaded_file['tmp_name'], $uploaded_file['name'], false );
if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) )
wp_die( __( 'The uploaded file is not a valid image. Please try again.' ) );
$file = wp_handle_upload($uploaded_file, $overrides);
if ( isset($file['error']) ) if ( isset($file['error']) )
wp_die( $file['error'], __( 'Image Upload Error' ) ); wp_die( $file['error'], __( 'Image Upload Error' ) );

11
wp-admin/includes/ajax-actions.php
View File

@ -1609,6 +1609,17 @@ function wp_ajax_upload_attachment() {
$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array(); $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
// If the context is custom header or background, make sure the uploaded file is an image.
if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
$wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'], false );
if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) {
wp_send_json_error( array(
'message' => __( 'The uploaded file is not a valid image. Please try again.' ),
'filename' => $_FILES['async-upload']['name'],
) );
}
}
$attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data ); $attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data );
if ( is_wp_error( $attachment_id ) ) { if ( is_wp_error( $attachment_id ) ) {