WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] 3.5 RC3 Multisite Network Settings allow other than default file types in upload (12 posts)

  1. _Redd
    Member
    Posted 1 year ago #

    My apologies in advance if this is known or expected behavior.

    In an effort to restrict casual users from access to other than graphic files (for example, the .zip file that was dropped into Uploads by WordPress when it had a duplicate plugin), I checked Network settings of allowable file types.

    .zip files are not allowed by default in Network settings.

    According to "upload settings" on my multisite setup, the following file types are allowed:

    jpg jpeg png gif mp3 mov avi wmv midi mid pdf

    .zip files are not allowed under this setting.

    Would it be considered a bug if the .zip file shows up in the Media Gallery, however accidental, if the Network Settings do not list .zip files as an authorized file type?

    Thanks again for any input you may have. And sorry to be such a pain about all of this; I just feel it would allow major security problems if other than strictly graphic files are accessible via the media gallery.

  2. Andrew Nacin
    Lead Developer
    Posted 1 year ago #

    The multisite file types is specifically an upload thing. WordPress does not allow the uploading of zip files in multisite by regular users, based on that setting.

    However, if the file is already uploaded, then users will have access to it. This has been WordPress behavior since 2.5 or earlier.

    Did I misunderstand?

  3. _Redd
    Member
    Posted 1 year ago #

    Good morning Nacin--no, you did not misunderstand.

    The misunderstanding was mine, totally.

    The surprise on my part was that the .zip file showed up at all in the media gallery. This had not happened before, and I *THINK* it may be due to the fact that WordPress no longer uses blogs.dir.

    In 3.4, I had accidently loaded "duplicate" test plugins, and had received the same error message, but I never saw those duplicate plugins show up in the media gallery. At the time, I had assumed that WordPress was simply rejecting them, but perhaps it was throwing the duplicates into the blogs.dir folder.

    My concern is that I will have multiple users, most of whom do not have experience with WordPress (not that I have that much experience) who will also be authorized to activate plugins. When they do, and if they accidently load a plugin twice, as I have, then anyone who has the ability to edit a page will have access to those .zip files--and very well may, because the icon looks like a picture of a box--a cute "graphic" they could put in their page. (I tested yesterday as editor). My understanding is that because images are attached to parent posts/pages, I can't restrict access to images unless I also restrict access to posts/pages, and that's just not going to happen. This is my problem, of course, but it is a major concern, as I expect multiple users, including possibly some students, to be maintaining these pages.

    It's not specifically the access to the plugin that concerns me, it's the fact that the attachment file took me all the way to my folders inside the site.

    Ok, here's where I REALLY make a fool of myself, because I'm not a programmer. I'm just a "learn-as-you-go" kind of person.

    I don't *THINK* it's a cookie thing, as I was able to view the plugin in the media gallery across multiple browsers.

    It MAY be a session thing, because after shutting down the computer overnight, I will no longer see the .zip file. BUT, significantly, closing the browswer is not enough to make the view disappear.

    To replicate:

    Install a plugin.

    Install the exact same plugin again, get the error message that install failed.

    Check the media gallery.

    You'll see the .zip file.

    When I loaded the icon into the page, it provided a link by which anyone could get into my folder system.

    I've got screen shots for you, for further clarification of what I'm talking about.

    'http://red-hound.com/wordpress35rc3/whoa/'

    Right now, on the test site, on the home menu, I have a link "Media Gallery File Types"...more screen shots are there.

    'http://red-hound.com/wordpress35rc3/'

    Again, thank you for EVERYTHING you and the team do. I am just in awe. Thank you so much to all of you, and what you give to us with this amazing open-source platform.

  4. New multisites don't use blogs.dir, true, but the old ones still do.

    Also remember on a network, your users cannot upload themes or plugins, so that's going to mitigate your fear a little.

  5. _Redd
    Member
    Posted 1 year ago #

    Mika, you and the team are awesome for the work you do in these forums--thank you so much!.

    The problem is not whether they can upload or not, the problem is that they have access to the zip file through the media gallery, no matter WHO uploads the zip file.

    Am I making sense?

  6. In 3.4, I had accidently loaded "duplicate" test plugins

    How? You went to network admin -> Plugins and uploaded a plugin?

  7. _Redd
    Member
    Posted 1 year ago #

    Mika, I'm freaking out now.

    I went to my 3.4 test multisite to reproduce the steps accurately for your review. BTW, these are small site-specific plugins, in .zip format, based on Codex, uploaded from my Desktop, not from WordPress.org.

    Here's the steps taken:
    1. Network Admin -> Dashboard
    2. Click on Dashboard
    3. On Dashboard Menu, click plugins
    4. Click Add New
    5. Click Upload (not Search)
    I get the following message:

    Install a plugin in .zip format

    If you have a plugin in a .zip format, you may install it by uploading it here.

    6. I click choose file
    7. After I choose the file, I click "Install Now"

    Now comes the part where I am freaking out....

    Since I was testing so many site-specific plugins, I would accidentally load the same plugin twice, and get error messages for it. I wouldn't think anything about it, I assumed WordPress was just not loading the plugin, and would move on. But when I went to look for a plugin to replicate, in order to recreate the error, I see the path for the plugin is a second plugin.

    See screenshot
    'http://red-hound.com/wordpress35rc3/whoa/screenshot-of-plugin-path-from-multisite-3-42/plugintwice/'

    I hadn't noticed it was doing this until revisiting it. But the thing is, it didn't give me the error message.

    So, I tried to reproduce it again with the "Hello Dolly" plugin, just downloading the file, renaming it "hello.php", and uploading it the same way. It gave me no error message, two plugins.

    'http://red-hound.com/wordpress35rc3/hello-dolly-twice-in-3-42-multisite/'

    I have no idea at all why it gave me two plugin options for the "Hello Dolly" plugin, and seemed to tell me that it put a plugin in a subdirectory for the Nelson Pages Custom Post Type 3A. I went through the same steps to upload the plugins.

    So, my huge apologies...I got a lot of error messages when working with plugins in 3.42, but maybe they had nothing to do with the paths/directories as the error messages I get in 3.5. I just made the assumption that WordPress was disallowing duplicates.

    Again, my apologies. HUGE apologies.

    However, one thing that absolutely did not happen was any of these plugins showing up in the media gallery, as in the case of my 3.5 test site. (Screenshot follows)

    'http://red-hound.com/wordpress35rc3/whoa/snapshotofzipinmedia2/'

    Again, I am extremely appreciative of all you and the team do.

    Thanks again--I should say, thanks YET again.

  8. http://red-hound.com/wordpress35rc3/whoa/screenshot-of-plugin-path-from-multisite-3-42/plugintwice/

    I don't get what's 'twice' about that actually. I see the path as pluginfolder/plugin.php which is totally normal.

    http://red-hound.com/wordpress35rc3/whoa/snapshotofzipinmedia2/

    This strikes me as a moment where you accidentally uploaded a zip in the media uploader (been there, done that myself). I can't reproduce that unless I actively do that.

    So, I tried to reproduce it again with the "Hello Dolly" plugin, just downloading the file, renaming it "hello.php", and uploading it the same way. It gave me no error message, two plugins.

    Can you go in and look at the files on your server? Are there two hello.php's? What's the other named?

  9. _Redd
    Member
    Posted 1 year ago #

    Good morning, Mika, you awesome person you. I know you and the others in the WordPress team are hammered right now with 3.5 stuff, so again, I'm really appreciative of the time you're giving to this (and others).

    I didn't know that the experience for 3.4 as described was normal(in which the path is created in the manner it is). Thank you so much for that information. What follows will ONLY deal with 3.5. Suffice to say that my experience with uploading plugins is different in 3.5 than it was in 3.4, and that is the thrust of my concern.

    Regarding the statement, "

    This strikes me as a moment where you accidentally uploaded a zip in the media uploader (been there, done that myself). I can't reproduce that unless I actively do that.
    "

    The upload was specifically and only through the plugin uploader, not through any other uploaders.

    I've taken step-by-step screenshots to reproduce the error again. I hope this helps--and again, thank you, thank you, thank you.

    Step One: I check the media files in the morning. No zip files there.(You can see dates associated with the screenshot)
    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/december-7-step-one/dec7step1/'

    Step Two: Check the server for plugins. Again, I tried to show dates in this screenshot to include today's date. This particular folder is the uploads folder for date 2012/12. (Not the sites folders, which are numbered 2 and 3, respectively)

    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/december-7-step-two-3-5-test-site-check-server/'

    Step Three. Go to Plugins Screen. You can see I have four plugins. At the top of the screen you can see the "Add New" button, next to the big "Plugins" word, that I use to add plugins.

    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/dec-7-step-3-test-site-3-5-go-to-plugins-screen/dec7step3/'

    Step Four: I have clicked "Add New" and arrived at the "Install Plugins" screen. The first option is search, but I'll be selecting the second option, "Upload" as I am uploading a test plugin.
    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/dec-7-step-4-test-site-3-5-install-plugins-screen/'

    Step Five: I've selected the "Upload" Link, in the Install Plugins screen. The screen asks me to install a plugin in .zip format, and on this screenshot, it shows the Browse button I use to select the file to upload.
    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/dec-7-step-5-test-site-3-5-install-plugins-screen-browse-for-plugin/'

    Step Six: I have selected a file, in .zip format, and the "Install Now" button becomes enabled (goes from light gray to dark). When I install the plugin, it is through the "Install Now" button.
    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/dec-7-step-6-test-site-3-5-install-plugins-screen-file-selected-install-enabled/'

    Step Seven: I receive the error message.
    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/dec-7-step-7-test-site-3-5-install-plugins-screen-error-message/'

    Step Eight: I re-check the files available in the Media Gallery, and I again see that the .zip file is available through the Media Gallery.
    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/dec-7-step-8-test-site-3-5-view-files-available-in-media/'

    Step Nine: I check the files in my server, and see that the plugin has been added.
    'http://red-hound.com/wordpress35rc3/december-7th-test-of-media-features/dec-7-step-9-test-site-3-5-view-files-available-on-server-in-uploads/'

    Mika, again, thank you and the rest of the team for all you do.

  10. _Redd
    Member
    Posted 1 year ago #

    Sorry, I may not have answered the part of your question about the two "Hello Dolly" plugins.

    The screenshot that follows is for my 3.4 test multisite, not the 3.5. But even this may be helpful, as it shows that a duplicate plugin goes into the plugins folder rather than the uploads folder, as it seems to in 3.5.

    Below is a screenshot, in which you can see that the plugin folder was modified yesterday, but not the uploads folder (again, for the 3.4 test site)

    'http://red-hound.com/wordpress35rc3/december-7th-test-plugin-media-3-4/screenshot-of-folder-systems-for-plugins-3-42-test-site/'

    And below this, is a screenshot showing how 3.4 handled the duplicate plugin Hello Dolly--it made a folder of it, as you knew but I did not (until now!)--the important point being that it all happened where expected, in the plugins folder, not the uploads folder.

    'http://red-hound.com/wordpress35rc3/december-7th-test-plugin-media-3-4/screenshot-of-hello-dolly-as-a-folder-and-as-a-file-3-42-test-site/'

    Again, thank you for all the awesomeness you and the team bring to WordPress. Very grateful.

  11. Son of a ... Confirmed.

    However this is not a 3.5 bug, it's there in 3.4.2

    ETA: Multisite puts the zip in the main site only so while not great, it's not going to hurt your users.

    http://core.trac.wordpress.org/ticket/22840

  12. _Redd
    Member
    Posted 1 year ago #

    Thank you, thank you, thank you. You guys and gals take care over there. Closing this thread, and watching developments on the ticket. Best regards.

Topic Closed

This topic has been closed to new replies.

About this Topic