Is it safe to add just some code?

  • Hello,

    I found a snippet online. I added it with success. This is the code. (had to add it to the functions.php in a child theme). What it does, is giving the contributor role the possibility to upload files.

    //Allow Contributors to Upload Media
if ( current_user_can('contributor') && !current_user_can('upload_files') )
add_action('admin_init', 'allow_contributor_uploads');

function allow_contributor_uploads() {
     $contributor = get_role('contributor');
     $contributor->add_cap('upload_files');
}

    How can I be sure the uploaded file + data ( around 7 input fields for data in the attachment section of the media library) are properly, filtered, sanitized and or validated?

    What happens after the upload; are the data always dragged through all the essential filters? And how can I check this?

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    You need to trust contributors to upload safe files. The files are validated to some extent, but the validation is not intended to catch malicious content. All media uploads are passed through wp_check_filetype_and_ext(). Check its source code to see what sort of checking is done.
    https://developer.www.ads-software.com/reference/functions/wp_check_filetype_and_ext/#source

    The filter by the same name can be used to perform additional checks. The calling function also performs additional checks and offers other filters for extending validation.
    https://developer.www.ads-software.com/reference/functions/_wp_handle_upload/#source

    All media library uploads pass though these checks. You can verify by trying to upload an intentional invalidly formed file.

    BTW, you don’t really have to keep that code active, you could now comment out the add_action() call since it had already been executed. Changes to role caps are persistent. Related code needn’t run on every request.

Viewing 1 replies (of 1 total)
  • The topic ‘Is it safe to add just some code?’ is closed to new replies.