Thanks for the quick reply.
I am now able to shrink down the allowed upload types back to the whitelisted file extensions. The security issue is now boiled down to a usability issue, which is a big gain.
Anyway, there is still a little tweak. You used 0x7ffffff
for filter priority. I guess you want to make sure, that your filter is the last one applied to upload_mimes
list. On a 64bit system I can simply set my own filter priority to 0x80000000
. On a stone-age 32bit system this won’t work (0x7fffffff
is the highest possible value for a signed integer).
Concerning filtering options tabs:
I see two strategies, on how to avoid PHP uploads.
The first on one would be quite simple, with no roles or capabilites involved. In includes/class-mla-settings.php
just get the tablist through a private method instead of storing it in a class var. Like this:
private function get_mla_options_tablist( ){
$tablist = $mla_tablist = array(
'general' => array( 'title' => __ ( 'General', 'media-library-assistant' ), 'render' => '_compose_general_tab' ),
'view' => array( 'title' => __ ( 'Views', 'media-library-assistant' ), 'render' => '_compose_view_tab' ),
'upload' => array( 'title' => __ ( 'Uploads', 'media-library-assistant' ), 'render' => '_compose_upload_tab' ),
'mla_gallery' => array( 'title' => __ ( 'MLA Gallery', 'media-library-assistant' ), 'render' => '_compose_mla_gallery_tab' ),
'custom_field' => array( 'title' => __ ( 'Custom Fields', 'media-library-assistant' ), 'render' => '_compose_custom_field_tab' ),
'iptc_exif' => array( 'title' => 'IPTC/EXIF', 'render' => '_compose_iptc_exif_tab' ),
'documentation' => array( 'title' => __ ( 'Documentation', 'media-library-assistant' ), 'render' => '_compose_documentation_tab' )
);
return apply_filters('mla_options_tabs',$tablist);
}
Everywhere you reference self::$tablist
use self::get_mla_options_tablist()
instead. In the _save_[tab]_settings methods check if the corresponding tab is present in the array returned by MLASettings::get_mla_options_tablist()
For a coder it would be easy to write a mu-plugin, that simply does an unset($tablist['upload'])
on the tablist. For you (just an idea…) it would open an opportunity to add a network settings with options like “Allow Blog admins to customize allowed MIME types”.
Second approach would be to enable MIME Customization only to those who can alter PHP code on the server anyway (and therefore should know what they are doing). In WordPress this is expressed by the edit_plugins
and edit_themes
capability. I multisite only network admins have these capablities.
This snippet should do the job:
if ( current_user_can( 'edit_plugins' ) || current_user_can( 'edit_themes' ) ) {
self::$tablist['uploads'] = array( /* whatever... */ );
}