PHP security warning

Yes, what this means is, that your installation is missing either one of these functions, and the PHP won’t be able to determine the filetype using mime-type extension … and it can only check the extension itself.

Therefore “.jpg” … “.pdf”, etc. But, an interuder can force an excecutable file disqusing as jpg for example.

So it’s not odd at all, it’s warning for you ??

Regards,
Mart

Hi Latorante,

I do understand your reply but I can’t understand why a newer version of PHP would miss that basic security. I’m fairly sure that PHP 5.4.x is well built and so default is prepared for nasty attacks.

Have a look at https://www.php.net/manual/en/function.mime-content-type.php
You’ll see that

mime_content_type

is deprecated.

Follow up:
Study this: https://www.php.net/manual/en/function.finfo-file.php

BTW: I didn’t mention my opinion about your plugin. Well… I do like it. I can think of some extra’s / modifications but basically it’s a nice and usefull plugin.

Regards!

Ha, nice one, what are your suggestions,
let’s make it better!

??

Mart

My two cents

Right on, I’ll just comment on that post here, hope that’s ok.

You shouldn’t allow uploading a file on the front end if you don’t check the contents against malicious code/errors/mistakes. You may not rely on the file extension.
That’s the point, I don’t. The only moment the plugin checks for only file extension is, when you’re missing all the PHP file-info functions and it can’t determine that files true type. Which is exactly your case – you lack all the necessary fileinfo functions, so it has to rely only on file extension. Where as if you had those in your PHP, you wouldn’t see the security message, and it would check everything. Properly as PHP does.

Implementing error and security handling per file type is a must. If an error occurs you must inform the user in a decent manner, i.e. ajaxify the input/output.
Nope, I’m not gonna do that. WordPress itself handles all commenting errors using wp_die, which is what I do as well, since I’m only extending the form and it’s possibilities. My plugin doesn’t restructure the whole process of handeling errors – ajaxifying validation etc. There are tons of other plugins for that – my plugin only extends the form so people can attach files.

The only visible thing the plugin should show on the front end is a button just left of the standard ‘Post Comment’-button below the comment text area. Clicking that button could unhide a div or popup a lightbox for handling the attachment procedure.
I disagree again, this plugin isn’t for everybody I guess, since it’s very special in it’s functionality, it’s for people who want to attach files to their comments regulary, not once a year. So I’m not gonna do this either.

Other then that, I just realised you missed the point with your original thread here. Thinking it doesn’t check the file itself – as I mentioned, the message in the admin – saying you’re lacking those PHP extensions – shows itself only if you really lack those. 99% of the people don’t, you’re just one of the few ??

Regards,
Mart

Ok Mart,

Since PHP FileInfo functions are enabled by default as of PHP 5.3.0. and my local PHP is 5.4.21 I wondered why the plugin didn’t recognize finfo(). Well, it turned out that on a Windows machine you must enable it in php.ini by uncommenting the line: extension=php_fileinfo.dll

Having fixed that and looking at your code I doubt you may rely just on mime types. On the other hand, I don’t think the uploaded files will pass the php processor so perhaps no real harm can happen. I’m not a security expert so I leave further remarks up to them …

About the front end: I disagree with you but think it’s better to create a separate thread. Things get mixed up a bit.

Happy coding!