[wp-hackers] is wp_check_filetype() stupid?

Abel Cheung abelcheung at gmail.com
Sat Jun 16 23:13:15 GMT 2007

I just noticed I can't upload any patch file to wordpress; wondering why,
it leads me to this snippet:

function wp_check_filetype($filename, $mimes = null) {
        // Accepted MIME types are set here as PCRE unless provided.
        $mimes = is_array($mimes) ? $mimes :
apply_filters('upload_mimes', array (
                'jpg|jpeg|jpe' => 'image/jpeg',
                'gif' => 'image/gif',
                'png' => 'image/png',
                'bmp' => 'image/bmp',
                'tif|tiff' => 'image/tiff',

Is it _vital_ to list all possible mime types this way, instead of
blacklisting some?
Right now:

- No patch (ending in .patch or .diff) can be uploaded.
- Not to mention ALL OpenDocument formats and PostScript
- Nor can certain multimedia formats be uploaded, like .flv (flash movie),
.ape (monkey's audio), and a zillion others
- As well as quite a few compression formats like .bz2, .7z, .arj, .rar, ......
- And package formats like .rpm, .deb, .msi, .......
- Anybody want me to list 100 more?

I'd suggest blacklisting rather than whitelisting, it's infinitely tiresome.

Abel Cheung   (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1  41EE 4152 E1F1 C671 86FF
* GNOME Hong Kong - http://www.gnome.hk/
* Opensource Application Knowledge Assoc. - http://oaka.org/
* My own cave: http://me.abelcheung.org/

More information about the wp-hackers mailing list