Security question: Upload settings in WP Multisite with untrusted blog admins

Thanks for the quick reply.
I am now able to shrink down the allowed upload types back to the whitelisted file extensions. The security issue is now boiled down to a usability issue, which is a big gain.
Anyway, there is still a little tweak. You used 0x7ffffff for filter priority. I guess you want to make sure, that your filter is the last one applied to upload_mimes list. On a 64bit system I can simply set my own filter priority to 0x80000000. On a stone-age 32bit system this won’t work (0x7fffffff is the highest possible value for a signed integer).

Concerning filtering options tabs:
I see two strategies, on how to avoid PHP uploads.
The first on one would be quite simple, with no roles or capabilites involved. In includes/class-mla-settings.php just get the tablist through a private method instead of storing it in a class var. Like this:

private function get_mla_options_tablist( ){
        $tablist = $mla_tablist = array(
            'general' => array( 'title' => __ ( 'General', 'media-library-assistant' ), 'render' => '_compose_general_tab' ),
            'view' => array( 'title' => __ ( 'Views', 'media-library-assistant' ), 'render' => '_compose_view_tab' ),
            'upload' => array( 'title' => __ ( 'Uploads', 'media-library-assistant' ), 'render' => '_compose_upload_tab' ),
            'mla_gallery' => array( 'title' => __ ( 'MLA Gallery', 'media-library-assistant' ), 'render' => '_compose_mla_gallery_tab' ),
            'custom_field' => array( 'title' => __ ( 'Custom Fields', 'media-library-assistant' ), 'render' => '_compose_custom_field_tab' ),
            'iptc_exif' => array( 'title' => 'IPTC/EXIF', 'render' => '_compose_iptc_exif_tab' ),
            'documentation' => array( 'title' => __ ( 'Documentation', 'media-library-assistant' ), 'render' => '_compose_documentation_tab' )
        );
        return apply_filters('mla_options_tabs',$tablist);
    }

Everywhere you reference self::$tablist use self::get_mla_options_tablist() instead. In the _save_[tab]_settings methods check if the corresponding tab is present in the array returned by MLASettings::get_mla_options_tablist()

For a coder it would be easy to write a mu-plugin, that simply does an unset($tablist['upload']) on the tablist. For you (just an idea…) it would open an opportunity to add a network settings with options like “Allow Blog admins to customize allowed MIME types”.

Second approach would be to enable MIME Customization only to those who can alter PHP code on the server anyway (and therefore should know what they are doing). In WordPress this is expressed by the edit_plugins and edit_themes capability. I multisite only network admins have these capablities.
This snippet should do the job:

if ( current_user_can( 'edit_plugins' ) || current_user_can( 'edit_themes' ) ) {
        self::$tablist['uploads'] = array( /* whatever... */ );
    }

Thanks a lot, and keep up the good work!
Looking forward to the next Update,
joern

Hi David,
Thank you very much for the Update.
I already set up everything in my project, and everthing looks just fine.

Just in case somebody else is running into the same issue like me (and stumbles upon this thread by accident), here’s my code that keeps upload MIME types under control of network admins:

// put in a php file living in wp-content/mu-plugins/

// always use WP MIME types
function mla_restrict_mime($mime) {
	// return WP's own whitelist
	return check_upload_mimes( $mime );
}
// We need very very high filter priority here, to make sure filter is applied after MLA applies it's own filter.
// (Notice: wont work on 32bit systems. Get a new server folks)
add_filter('upload_mimes' , 'mla_restrict_mime' , 0x80000000 );

// Hide Mime options tab.
function mla_hide_upload_options( $tabs ){
	// disable upload tab
	unset($tabs['upload']);
	return $tabs;
}
add_filter('mla_get_options_tablist','mla_hide_upload_options');