<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul, pre { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[12166] branches/2.8/wp-includes:
Sanitize filenames with multiple extensions.</title>
</head>
<body>
<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.wordpress.org/changeset/12166">12166</a></dd>
<dt>Author</dt> <dd>ryan</dd>
<dt>Date</dt> <dd>2009-11-11 23:10:13 +0000 (Wed, 11 Nov 2009)</dd>
</dl>
<h3>Log Message</h3>
<pre>Sanitize filenames with multiple extensions. see <a href="http://trac.wordpress.org/ticket/11122">#11122</a></pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branches28wpincludesformattingphp">branches/2.8/wp-includes/formatting.php</a></li>
<li><a href="#branches28wpincludesfunctionsphp">branches/2.8/wp-includes/functions.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branches28wpincludesformattingphp"></a>
<div class="modfile"><h4>Modified: branches/2.8/wp-includes/formatting.php (12165 => 12166)</h4>
<pre class="diff"><span>
<span class="info">--- branches/2.8/wp-includes/formatting.php 2009-11-11 23:07:29 UTC (rev 12165)
+++ branches/2.8/wp-includes/formatting.php 2009-11-11 23:10:13 UTC (rev 12166)
</span><span class="lines">@@ -605,6 +605,39 @@
</span><span class="cx"> $filename = str_replace($special_chars, '', $filename);
</span><span class="cx"> $filename = preg_replace('/[\s-]+/', '-', $filename);
</span><span class="cx"> $filename = trim($filename, '.-_');
</span><ins>+
+ // Split the filename into a base and extension[s]
+ $parts = explode('.', $filename);
+
+ // Return if only one extension
+ if ( count($parts) <= 2 )
+ return apply_filters('sanitize_file_name', $filename, $filename_raw);
+
+ // Process multiple extensions
+ $filename = array_shift($parts);
+ $extension = array_pop($parts);
+ $mimes = get_allowed_mime_types();
+
+ // Loop over any intermediate extensions. Munge them with a trailing underscore if they are a 2 - 5 character
+ // long alpha string not in the extension whitelist.
+ foreach ( (array) $parts as $part) {
+ $filename .= '.' . $part;
+
+ if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
+ $allowed = false;
+ foreach ( $mimes as $ext_preg => $mime_match ) {
+ $ext_preg = '!(^' . $ext_preg . ')$!i';
+ if ( preg_match( $ext_preg, $part ) ) {
+ $allowed = true;
+ break;
+ }
+ }
+ if ( !$allowed )
+ $filename .= '_';
+ }
+ }
+ $filename .= '.' . $extension;
+
</ins><span class="cx"> return apply_filters('sanitize_file_name', $filename, $filename_raw);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branches28wpincludesfunctionsphp"></a>
<div class="modfile"><h4>Modified: branches/2.8/wp-includes/functions.php (12165 => 12166)</h4>
<pre class="diff"><span>
<span class="info">--- branches/2.8/wp-includes/functions.php 2009-11-11 23:07:29 UTC (rev 12165)
+++ branches/2.8/wp-includes/functions.php 2009-11-11 23:10:13 UTC (rev 12166)
</span><span class="lines">@@ -2226,8 +2226,36 @@
</span><span class="cx"> * @return array Values with extension first and mime type.
</span><span class="cx"> */
</span><span class="cx"> function wp_check_filetype( $filename, $mimes = null ) {
</span><del>- // Accepted MIME types are set here as PCRE unless provided.
- $mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( 'upload_mimes', array(
</del><ins>+ if ( null === $mimes )
+ $mimes = get_allowed_mime_types();
+ $type = false;
+ $ext = false;
+
+ foreach ( $mimes as $ext_preg => $mime_match ) {
+ $ext_preg = '!\.(' . $ext_preg . ')$!i';
+ if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
+ $type = $mime_match;
+ $ext = $ext_matches[1];
+ break;
+ }
+ }
+
+ return compact( 'ext', 'type' );
+}
+
+/**
+ * Retrieve list of allowed mime types and file extensions.
+ *
+ * @since 2.8.6
+ *
+ * @return array Array of mime types keyed by the file extension regex corresponding to those types.
+ */
+function get_allowed_mime_types() {
+ static $mimes = false;
+
+ if ( !$mimes ) {
+ // Accepted MIME types are set here as PCRE unless provided.
+ $mimes = apply_filters( 'upload_mimes', array(
</ins><span class="cx"> 'jpg|jpeg|jpe' => 'image/jpeg',
</span><span class="cx"> 'gif' => 'image/gif',
</span><span class="cx"> 'png' => 'image/png',
</span><span class="lines">@@ -2273,24 +2301,11 @@
</span><span class="cx"> 'odc' => 'application/vnd.oasis.opendocument.chart',
</span><span class="cx"> 'odb' => 'application/vnd.oasis.opendocument.database',
</span><span class="cx"> 'odf' => 'application/vnd.oasis.opendocument.formula',
</span><del>- )
- );
-
- $type = false;
- $ext = false;
-
- foreach ( $mimes as $ext_preg => $mime_match ) {
- $ext_preg = '!\.(' . $ext_preg . ')$!i';
- if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
- $type = $mime_match;
- $ext = $ext_matches[1];
- break;
- }
</del><ins>+ ) );
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- return compact( 'ext', 'type' );
</del><ins>+ return $mimes;
</ins><span class="cx"> }
</span><del>-
</del><span class="cx"> /**
</span><span class="cx"> * Retrieve nonce action "Are you sure" message.
</span><span class="cx"> *
</span></span></pre>
</div>
</div>
</body>
</html>