Forcing at least one file type … why?

  • Resolved normadize

    (@normadize)


    11 years, 1 month ago

    Great plugin, really like it!

    I want (actually need) to allow uploading ANY file type. I’m surprised to see that WPCF7 forces at least one file type, which then means I have to list all possible extensions out there 🙂

    Looking at the code in modules\file.php in wpcf7_file_validation_filter(), I notice that you escape the wildcard chars ?, *, +, . as well … not only that, but it also seems to require the file to have an extension since you do a regex match on /\.(escaped_pattern)$/, whereas not all files actually have an extension.

    All these restrictions are unnecessary and hinder functionality. I can easily hack your code but you should really permit your plugin users to be able to allow all file types. A simple . or .* as pattern would do.

    Also, the safe way to escape strings for use in preg_*() functions is to use preg_quote() rather than using str_replace() only on ?, *, +, ., which leaves quite a big security hole (you might want to revise that function).

    Otherwise, keep up the good work!

    p.s. I admit I haven’t read all the docs (i did read some), but a quick question: can I hook into the email function so I can do some custom stuff? A simple pointer would suffice.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter normadize

    (@normadize)

    11 years, 1 month ago

    I ended up commenting lines 116-123 and 144-146 and added line 147 as follows:

    $file_type_pattern = '/' . $file_type_pattern . '/i';

    This allows any Regex as in filetype:. For me this is ok. Would be nice if you added a filetyperegex: option as well.

    Security wise it’s not worse than before but given this is a WP Admin Panel option, it should be Ok (if an attacker gets into WP Panel, this is the least of the owner’s worries).

    Plugin Author Takayuki Miyoshi

    (@takayukister)

    11 years, 1 month ago

    Unless you want to expose your site to a great security risk, you should not follow this kind of “hack”.

    Thread Starter normadize

    (@normadize)

    11 years, 1 month ago

    Your current code is not any more secure. More importantly, you should leave the choice to the user, not making the decision for them.

    I have a need for this for an internal project. As far as i can tell, currently you

    – require an extension (not all files have one)
    – force an extension filter
    – are not willing to even consider this since you marked this as resolved

    Those are not very healthy choices. We are talking about an admin option so security wise it’s fine and you can still leave the default to require an extension.

    I see only benefits from adding an option like filetyperegex: for the expert users.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Forcing at least one file type … why?’ is closed to new replies.