ms-files and mod_rewrite

I think I found a bug/exploit in the ms-files

We have spent many hours trying to change the mod_rewrite to handle /files/css/style.css?version=1.0.2 the goal being to force immediate updates to the CSS/javascript as the ttl/expire on them is set to days

However, we could only change between it serving up mimetype = css?version=1.0.2 or a 404 when it looks for ‘style.css?’

Upon reviewing the ms-files I found that it calls
$mime = wp_check_filetype( $_SERVER[ 'REQUEST_URI' ] );
and
$mimetype = 'image/' . substr( $_SERVER[ 'REQUEST_URI' ], strrpos( $_SERVER[ 'REQUEST_URI' ], '.' ) + 1 );

‘REQUEST_URI’ is the request with query strings, before mod-rewrite renders it. This means that not only does mod_rewrite not impact what ms-files servers up, but also appends query strings to file types which flow through to mimetype. I believe the preferred data should come from the REDIRECT_URL or another server var to at least avoid the query string. Or to check the REQUEST_URI for ‘?’ and chop the query string off.

if(isset($_SERVER[ 'REDIRECT_URL' ]) && !empty($_SERVER[ 'REDIRECT_URL' ]))
    $filerequested = $_SERVER[ 'REDIRECT_URL' ];
else
    $filerequested = $_SERVER[ 'REQUEST_URI' ];
...
$mime = wp_check_filetype( $filerequested );
...
$mimetype = 'image/' . substr( $filerequested, strrpos( $filerequested, '.' ) + 1 );

That way users can mod_rewrite what goes into ms-files, and also helps security as bots passing parameters such as ?command=touch+-235xxx+hackedfile would be dropped preventing exploits