Changeset 2590623

Timestamp:

08/30/2021 02:06:45 AM (4 years ago)

Author:

rinatkhaziev

Message:

Merge 7f2c9f1cbfdbeef0dba2f32d6c8952484bd861ca from GitHub

Location:

frontend-uploader/trunk

Files:

• composer.json (added)
• frontend-uploader.php (modified) (7 diffs)
• lib/php/frontend-uploader-settings.php (modified) (2 diffs)
• lib/php/functions.php (modified) (1 diff)
• readme.md (modified) (1 diff)
• readme.txt (modified) (3 diffs)

frontend-uploader/trunk/frontend-uploader.php

@@ -73 +73 @@
         $this->html = new Html_Helper;
 
-        // Either use default settings if no setting set, or try to merge defaults with existing settings
-        // Needed if new options were added in upgraded version of the plugin
-        $this->settings = get_option( $this->settings_slug, $this->settings_defaults() );
         register_activation_hook( __FILE__, array( $this, 'activate_plugin' ) );
     }
@@ -83 +80 @@
      */
     function action_init() {
+        // Try to gracefully fallback on default values, as well as merge any potentially new settings coming from an upgrade (:
+        $this->settings = array_merge( $this->settings_defaults(), (array) get_option( $this->settings_slug, [] ) );
 
         load_plugin_textdomain( 'frontend-uploader', false, dirname( plugin_basename( __FILE__ ) ) . '/languages/' );
@@ -142 +141 @@
 
     /**
-     * Add extra mime-types
-     *
-     * This is mostly legacy, and really should be deprecated or refactored due to unneccessary complexity
-     *
-     * @return [type] [description]
+     * Handle MIME-types:
+     *
+     * First we check what's in the plugin setting (if there's nothing we're falling back to Core list)
+     * If we're falling back to core value, make sure to remove HTML and JS files.
+     * Then we also explicitly try to remove any variant of PHP, just in case.
+     *
+     * After that we pass the value to the filter,
+     * so if somebody really wants to shoot in the foot they can do so.
+     *
+     * @return array the list of allowed for uploading mime types
      */
     function _get_mime_types() {
-        $mime_types = wp_get_mime_types();
-        $fu_mime_types = fu_get_mime_types();
-
-        $enabled = isset( $this->settings['enabled_files'] ) && is_array( $this->settings['enabled_files'] ) ?  $this->settings['enabled_files'] : array();
-
-        // $fu_mime_types holds extra mimes that are not allowed by WP
-        foreach ( $fu_mime_types as $extension => $details ) {
-            // Skip if it's not in the settings
-            if ( ! in_array( $extension, $enabled, true ) )
-                continue;
-
-            // Files have multiple mimes sometimes, we need to cover all of them
-            foreach ( $details['mimes'] as $ext_mime ) {
-                $mime_types[ $extension . '|' . $extension . sanitize_title_with_dashes( $ext_mime ) ] = $ext_mime;
-            }
-        }
-
-        // Configuration filter: fu_allowed_mime_types should return array of allowed mime types (see readme)
-        $mime_types = apply_filters( 'fu_allowed_mime_types', $mime_types );
-
-        foreach ( $mime_types as $ext_key => $mime ) {
-            // Check for php just in case
-            if ( false !== strpos( $mime, 'php' ) )
-                unset( $mime_types[$ext_key] );
-        }
+        // Use the fallback value but explicitly discard HTML and JS to prevent a possibility of XSS:
+        // If these types are enabled in the UI they'll end up in $this->settings['enabled_files'].
+        // $mime_types_orig is needed to re-map the values from the settings lib structure to core WP extension regex => mime-type format.
+        $mime_types = $mime_types_orig = wp_get_mime_types();
+        unset( $mime_types['htm|html'] );
+        unset( $mime_types['js'] );
+
+        $enabled = isset( $this->settings['enabled_files'] ) && is_array( $this->settings['enabled_files'] ) && $this->settings['enabled_files'] ? $this->settings['enabled_files'] : $mime_types;
+
+        foreach ( $enabled as $ext_key => $mime ) {
+            // Check for PHP.
+            if ( false !== strpos( $mime, 'php' ) ) {
+                unset( $enabled[ $ext_key ] );
+                trigger_error( __( "Frontend Uploader doesn't support PHP uploads for security reasons", 'frontend-uploader' ) );
+            }
+
+            // We need to re-map the value from our settings to the proper MIME-type instead of regex key for mime check to work correctly.
+            $enabled[ $ext_key ] = $mime_types_orig[ $ext_key ];
+        }
+
+        /**
+         * Configuration filter: fu_allowed_mime_types should return array of allowed mime types (see readme)
+         * @param array $enabled the list of enabled mime-types in core-compatible [ 'ext|ext2' => 'mime/type' ] format.
+         */
+        $mime_types = apply_filters( 'fu_allowed_mime_types', $enabled );
 
         return $mime_types;
@@ -186 +190 @@
         $defaults = array();
         $settings = Frontend_Uploader_Settings::get_settings_fields();
-        foreach ( $settings[$this->settings_slug] as $setting ) {
+        foreach ( $settings[ $this->settings_slug ] as $setting ) {
             $defaults[ $setting['name'] ] = $setting['default'];
         }
@@ -257 +261 @@
      */
     function _upload_files( $post_id = 0 ) {
-        // Only filter mimes just before the upload
+        // Only filter mimes just before the upload.
         add_filter( 'upload_mimes', array( $this, '_get_mime_types' ), 999 );
 
@@ -284 +288 @@
 
             // Skip to the next file if upload went wrong
-            if ( $k['error'] !== 0  ) {
+            if ( $k['error'] !== 0 ) {
                 $errors['fu-error-media'][] = array( 'name' => $k['name'], 'code' => $k['error'] );
                 continue;
             }
 
-            $typecheck = wp_check_filetype_and_ext( $k['tmp_name'], $k['name'], false );
+            $typecheck = mime_content_type( $k['tmp_name'] );
             // Add an error message if MIME-type is not allowed
-            if ( ! in_array( $typecheck['type'], (array) $this->allowed_mime_types, true ) ) {
+            if ( ! in_array( $typecheck, (array) $this->allowed_mime_types, true ) ) {
                 $errors['fu-disallowed-mime-type'][] = array( 'name' => $k['name'], 'mime' => $k['type'] );
                 continue;
@@ -1084 +1088 @@
                     'post_type' => 'post',
                     'category' => '',
-                    'suppress_default_fields' => ! ( isset( $this->settings['suppress_default_fields'] ) && 'on' === $this->settings['suppress_default_fields'] ),
+                    'suppress_default_fields' => isset( $this->settings['suppress_default_fields'] ) && 'on' === $this->settings['suppress_default_fields'],
                     'append_to_post' => false,
                 ), $atts ) );

frontend-uploader/trunk/lib/php/frontend-uploader-settings.php

@@ -64 +64 @@
      */
     static function get_settings_fields() {
+        static $settings_fields;
+
+        if ( $settings_fields ) {
+            return $settings_fields;
+        }
+
         $default_post_type = array( 'post' => 'Posts' );
+        $core_mime_types = fu_get_exts_descs();
+
+        // Sanitize a bit.
+        $safe_defaults = $core_mime_types;
+        unset( $safe_defaults['htm|html'] );
+        unset( $safe_defaults['js'] );
+        $safe_defaults_keys = array_keys( $safe_defaults );
+
         $settings_fields = array(
             'frontend_uploader_settings' => array(
@@ -145 +159 @@
                     'desc' => '',
                     'type' => 'multicheck',
-                    'default' => array(),
-                    'options' => fu_get_exts_descs(),
+                    'default' => array_combine( $safe_defaults_keys, $safe_defaults_keys ),
+                    'options' => $core_mime_types,
                 ),
                 array(

frontend-uploader/trunk/lib/php/functions.php

@@ -5 +5 @@
 
 /**
- * Get the common MIME-types for extensions
- * @return array
- */
-function fu_get_mime_types() {
-    // Generated with dyn_php class: http://www.phpclasses.org/package/2923-PHP-Generate-PHP-code-programmatically.html
-    $mimes_exts = array(
-        'csv'=>
-        array(
-            'label'=> 'Comma Separated Values File',
-            'mimes'=>
-            array(
-                'text/comma-separated-values',
-                'text/csv',
-                'application/csv',
-                'application/excel',
-                'application/vnd.ms-excel',
-                'application/vnd.msexcel',
-                'text/anytext',
-            ),
-        ),
-        'mp3'=>
-        array(
-            'label'=> 'MP3 Audio File',
-            'mimes'=>
-            array(
-                'audio/mpeg',
-                'audio/x-mpeg',
-                'audio/mp3',
-                'audio/x-mp3',
-                'audio/mpeg3',
-                'audio/x-mpeg3',
-                'audio/mpg',
-                'audio/x-mpg',
-                'audio/x-mpegaudio',
-            ),
-        ),
-        'avi'=>
-        array(
-            'label'=> 'Audio Video Interleave File',
-            'mimes'=>
-            array(
-                'video/avi',
-                'video/msvideo',
-                'video/x-msvideo',
-                'image/avi',
-                'video/xmpg2',
-                'application/x-troff-msvideo',
-                'audio/aiff',
-                'audio/avi',
-            ),
-        ),
-
-        'mid'=>
-        array(
-            'label'=> 'MIDI File',
-            'mimes'=>
-            array(
-                'audio/mid',
-                'audio/m',
-                'audio/midi',
-                'audio/x-midi',
-                'application/x-midi',
-                'audio/soundtrack',
-            ),
-        ),
-        'wav'=>
-        array(
-            'label'=> 'WAVE Audio File',
-            'mimes'=>
-            array(
-                'audio/wav',
-                'audio/x-wav',
-                'audio/wave',
-                'audio/x-pn-wav',
-            ),
-        ),
-        'wma'=>
-        array(
-            'label'=> 'Windows Media Audio File',
-            'mimes'=>
-            array(
-                'audio/x-ms-wma',
-                'video/x-ms-asf',
-            ),
-        ),
-    );
-
-    return $mimes_exts;
-}
-
-/**
  * Generate slug => description array for Frontend Uploader settings
  * @return array
  */
 function fu_get_exts_descs() {
-    $mimes = fu_get_mime_types();
+    $mimes = wp_get_mime_types();
     $a = array();
 
-    foreach( $mimes as $ext => $mime )
-        $a[$ext] = sprintf( '%1$s (.%2$s)', $mime['label'], $ext );
+    foreach( $mimes as $ext => $mime ) {
+        $a[ $ext ] = sprintf( '%2$s (%1$s)', $mime, str_replace( '|', ', ', $ext ) );
+    }
 
     return $a;

frontend-uploader/trunk/readme.md

@@ -1 +1 @@
 # Frontend Uploader
+
+⚠️ _This plugin is not actively maintained._ Any discovered security issues will be patched though. ⚠️
+
+If you're interested in becoming a maintainer please let me know.
 
 ## Description

frontend-uploader/trunk/readme.txt

@@ -4 +4 @@
 Tags: frontend, image, images, media, uploader, upload, video, audio, photo, photos, picture, pictures, file, user generated content, ugc, frontend upload
 Requires at least: 4.6
-Requires PHP: 5.4
 Tested up to: 5.0
 Stable tag: 1.3.2
@@ -16 +15 @@
 
 This plugin is a simple way for users to submit content to your site. The plugin uses a set of shortcodes to let you create highly customizable submission forms to your posts and pages. Once the content is submitted, it is held for moderation until you approve it. It’s that easy!
+
+**Security**
+
+Allowing uploads from unauthenticated users is inherently risky. The plugin relies on the core allow list for files. However, we explicitly remove HTML, JS and PHP files even if they're in the allow list. To modify the list of allowed file types please refer to *fu_allowed_mime_types* configuration filter section for additional details.
 
 = Exploring Customizations =
@@ -334 +337 @@
 
 This action runs after form was uploaded. Arguments are: (string) $layout (form layout), (array) $result - result of the upload.
-`add_action('fu_upload_result', 'my_fu_upload_result', 10, 2 );
+`add_action( 'fu_upload_result', 'my_fu_upload_result', 10, 2 );
 
 function my_fu_upload_result( $layout, $result ) {