WordPress.org

Ready to get started?Download WordPress

Forums

ms-files and mod_rewrite (1 post)

  1. ppostma1
    Member
    Posted 3 years ago #

    I think I found a bug/exploit in the ms-files

    We have spent many hours trying to change the mod_rewrite to handle /files/css/style.css?version=1.0.2 the goal being to force immediate updates to the CSS/javascript as the ttl/expire on them is set to days

    However, we could only change between it serving up mimetype = css?version=1.0.2 or a 404 when it looks for 'style.css?'

    Upon reviewing the ms-files I found that it calls
    $mime = wp_check_filetype( $_SERVER[ 'REQUEST_URI' ] );
    and
    $mimetype = 'image/' . substr( $_SERVER[ 'REQUEST_URI' ], strrpos( $_SERVER[ 'REQUEST_URI' ], '.' ) + 1 );

    'REQUEST_URI' is the request with query strings, before mod-rewrite renders it. This means that not only does mod_rewrite not impact what ms-files servers up, but also appends query strings to file types which flow through to mimetype. I believe the preferred data should come from the REDIRECT_URL or another server var to at least avoid the query string. Or to check the REQUEST_URI for '?' and chop the query string off.

    if(isset($_SERVER[ 'REDIRECT_URL' ]) && !empty($_SERVER[ 'REDIRECT_URL' ]))
        $filerequested = $_SERVER[ 'REDIRECT_URL' ];
    else
        $filerequested = $_SERVER[ 'REQUEST_URI' ];
    ...
    $mime = wp_check_filetype( $filerequested );
    ...
    $mimetype = 'image/' . substr( $filerequested, strrpos( $filerequested, '.' ) + 1 );

    That way users can mod_rewrite what goes into ms-files, and also helps security as bots passing parameters such as ?command=touch+-235xxx+hackedfile would be dropped preventing exploits

Topic Closed

This topic has been closed to new replies.

About this Topic