[Plugin: Enable Media Replace] File type does not meet security guidelines

  • Received the following message after upgrading to 2.4 and trying to replace an RDF file (not an allowable filetype by default in WP): “File type does not meet security guidelines. Try another.”

    Using Thematic theme, granted additional filetypes to be uploaded with the following code in functions.php: 

    function addUploadMimes($mimes) {
    $mimes = array_merge($mimes, array(
        'pub|psd|rdf' => 'application/octet-stream'
    ));
    return $mimes;
}
add_filter('upload_mimes', 'addUploadMimes');

    I see the plugin uses “get_allowed_mime_types” – which I believe points back to the core wp-includes/functions.php. How can I get the plugin to point to what I’ve told WP to allow for filetypes in my theme’s functions.php file? Thanks for the help!

Viewing 9 replies - 1 through 9 (of 9 total)

  • Hm. I’m sorry, but I have no idea. My plugin was listed as a security risk on several web sites since I was NOT using get_allowed_mime_types on the upload. Therefore, I was forced to add this functionality in the latest version of the plugin.

    If anybody has any ideas on how to make WP understand that certain file types are permitted by the filter as stated above, please let me know.

    I’m also having a problem with accepted mime types. I can upload pptx the first time through WordPress. I found pptx in the $mimes array in wp-includes/functions.php, but Enable Media Replace isn’t allowing that extension. I looked through the few files that make up the plugin and couldn’t find anything quickly to fix this.

    Does anyone know what file and function to modify for this?

    Another issue I’ve had is that I can replace a document with a new one, but the new one won’t show unless I flush my cache in my browser. That’s easy for me, but users on the sites I administer have a hard time with it.

    I really like this plugin. If you are the author and find these comments, please don’t take them wrong. This plugin has saved us lots of time when there are links on multiple pages to the same file.

    Peace!

    The MIME-type problem is a tough one to crack. I really have no idea on how to solve it right now, since I was forced to add the check for allowed MIME types to get my plugin off a list of plugins with security problems.

    The second problem, about browser cache, is even more hard to solve. There is no way for the server to purge the browser cache, unfortunately.

    Yeah. I figured that about the browser cache issue. Maybe an update from WP will fix the MIME type issue?

    Thanks.

    I just rolled back to 2.3 for this very reason. (my install is on a closed intranet, so security issues don’t bother me as much). Frankly, it’s kind of ridiculous that .docx, .pptx, .xlsx, etc aren’t yet included files in WordPress’ allowed mime types.

    As for the caching issue, I got around it by using this plugin in conjunction with the Content Switcher plugin, which allows you to append any link with a randomly generated number every time you load a page. That appended number forces your browser to read it as a fresh file every time. Like bobbybro, I have to make this process as easy as possible for my site users and this has so far been the only solution that consistently works.

    One more thought, MungoBBQ:

    I wonder if, in addition to using the get_allowed_mime_types, you could add a function like this:

    https://www.ads-software.com/support/topic/media-library-7?replies=2

    And then possibly on a plugin options page, you could allow the addition of extensions there. Not sure if that still flags your plugin as a security risk or not, but something to consider if you haven’t already.

    Thanks lahrah, unfortunately I think that would still be reason for the inclusion on a list of “unsecure” WP plugins.

    The real problem here is that the WP core function “get_allowed_mime_types” does not return the correct list after you (and me!) have added mime types in functions.php. I have submitted a bug report to the devs.

    I’m getting this error all of a sudden also when attempting to replace a PDF file. Any fix on this yet?

    Unfortunately, I do not know of another way to fix this problem right now.

    The problem is that PHP seems to lack a truly reliable way of determining the MIME type of a file.

    In the newer versions of the plugin, I am checking for the function “mime_content_type”, which works in some system, but is deprecated and therefore unreliable.

    If “mime_content_type” is not available, I am using PHP:s built-in variables for uploaded files, $_FILES[][“type”] – but the problem there is that it doesn’t work 100%, and it even seems to be client-dependant, so that it works with certain browsers but not with others.

    So why do I need to check the MIME type at all? Good question! In the earlier versions of the plugin (i.e. before 2.4) I wasn’t checking the MIME type on uploaded files before replacing the originals. The problem with that was that my plugin was flagged as insecure on several major security-related web sites since it was technically possible to upload a malicious file to replace a “safe” file. As you probably know, WordPress has a built-in file filter which only allows uploads of certain types of files. My plugin was breaking those rules, and to get my plugin off the security warning lists, I had to incorporate some type of file type check, which is where the problems are right now.

    I will continue to look into other possible fixes, but for now, if you are running into these problems, my only advice is to uninstall the current version of the plugin and install 2.3 instead, which was the last version without the MIME type checks.

    The 2.3 version can be found on www.ads-software.com here

    /M;

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘[Plugin: Enable Media Replace] File type does not meet security guidelines’ is closed to new replies.