[2.6] Only allow image MIME type upload via APIs
This commit is contained in:
Mike Jolley
parent
fb18af837c
commit
4f5896d908
|
|
@ -1804,9 +1804,8 @@ class WC_API_Products extends WC_API_Resource {
|
|||
* @throws WC_API_Exception
|
||||
*/
|
||||
public function upload_product_image( $image_url ) {
|
||||
$file_name = basename( current( explode( '?', $image_url ) ) );
|
||||
$wp_filetype = wp_check_filetype( $file_name, null );
|
||||
$parsed_url = @parse_url( $image_url );
|
||||
$file_name = basename( current( explode( '?', $image_url ) ) );
|
||||
$parsed_url = @parse_url( $image_url );
|
||||
|
||||
// Check parsed URL
|
||||
if ( ! $parsed_url || ! is_array( $parsed_url ) ) {
|
||||
|
|
@ -1828,6 +1827,8 @@ class WC_API_Products extends WC_API_Resource {
|
|||
}
|
||||
|
||||
// Ensure we have a file name and type
|
||||
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
|
||||
|
||||
if ( ! $wp_filetype['type'] ) {
|
||||
$headers = wp_remote_retrieve_headers( $response );
|
||||
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
|
||||
|
|
@ -1838,6 +1839,13 @@ class WC_API_Products extends WC_API_Resource {
|
|||
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
|
||||
}
|
||||
unset( $headers );
|
||||
|
||||
// Recheck filetype
|
||||
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
|
||||
|
||||
if ( ! $wp_filetype['type'] ) {
|
||||
throw new WC_API_Exception( 'woocommerce_api_invalid_product_image', __( 'Invalid image type.', 'woocommerce' ), 400 );
|
||||
}
|
||||
}
|
||||
|
||||
// Upload the file
|
||||
|
|
|
|||
|
|
@ -2360,9 +2360,8 @@ class WC_API_Products extends WC_API_Resource {
|
|||
* @return int|WP_Error Attachment id
|
||||
*/
|
||||
protected function upload_image_from_url( $image_url, $upload_for = 'product_image' ) {
|
||||
$file_name = basename( current( explode( '?', $image_url ) ) );
|
||||
$wp_filetype = wp_check_filetype( $file_name, null );
|
||||
$parsed_url = @parse_url( $image_url );
|
||||
$file_name = basename( current( explode( '?', $image_url ) ) );
|
||||
$parsed_url = @parse_url( $image_url );
|
||||
|
||||
// Check parsed URL.
|
||||
if ( ! $parsed_url || ! is_array( $parsed_url ) ) {
|
||||
|
|
@ -2384,6 +2383,8 @@ class WC_API_Products extends WC_API_Resource {
|
|||
}
|
||||
|
||||
// Ensure we have a file name and type.
|
||||
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
|
||||
|
||||
if ( ! $wp_filetype['type'] ) {
|
||||
$headers = wp_remote_retrieve_headers( $response );
|
||||
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
|
||||
|
|
@ -2394,6 +2395,13 @@ class WC_API_Products extends WC_API_Resource {
|
|||
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
|
||||
}
|
||||
unset( $headers );
|
||||
|
||||
// Recheck filetype
|
||||
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
|
||||
|
||||
if ( ! $wp_filetype['type'] ) {
|
||||
throw new WC_API_Exception( 'woocommerce_api_invalid_' . $upload_for, __( 'Invalid image type.', 'woocommerce' ), 400 );
|
||||
}
|
||||
}
|
||||
|
||||
// Upload the file.
|
||||
|
|
|
|||
|
|
@ -1992,6 +1992,22 @@ class WC_CLI_Product extends WC_CLI_Command {
|
|||
return $taxonomy;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns image mime types users are allowed to upload via the API.
|
||||
* @since 2.6.4
|
||||
* @return array
|
||||
*/
|
||||
private function allowed_image_mime_types() {
|
||||
return apply_filters( 'woocommerce_cli_allowed_image_mime_types', array(
|
||||
'jpg|jpeg|jpe' => 'image/jpeg',
|
||||
'gif' => 'image/gif',
|
||||
'png' => 'image/png',
|
||||
'bmp' => 'image/bmp',
|
||||
'tiff|tif' => 'image/tiff',
|
||||
'ico' => 'image/x-icon',
|
||||
) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Upload image from URL
|
||||
*
|
||||
|
|
@ -2002,7 +2018,6 @@ class WC_CLI_Product extends WC_CLI_Command {
|
|||
*/
|
||||
private function upload_product_image( $image_url ) {
|
||||
$file_name = basename( current( explode( '?', $image_url ) ) );
|
||||
$wp_filetype = wp_check_filetype( $file_name, null );
|
||||
$parsed_url = @parse_url( $image_url );
|
||||
|
||||
// Check parsed URL
|
||||
|
|
@ -2025,6 +2040,8 @@ class WC_CLI_Product extends WC_CLI_Command {
|
|||
}
|
||||
|
||||
// Ensure we have a file name and type
|
||||
$wp_filetype = wp_check_filetype( $file_name, $this->allowed_image_mime_types() );
|
||||
|
||||
if ( ! $wp_filetype['type'] ) {
|
||||
$headers = wp_remote_retrieve_headers( $response );
|
||||
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
|
||||
|
|
@ -2035,6 +2052,13 @@ class WC_CLI_Product extends WC_CLI_Command {
|
|||
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
|
||||
}
|
||||
unset( $headers );
|
||||
|
||||
// Recheck filetype
|
||||
$wp_filetype = wp_check_filetype( $file_name, $this->allowed_image_mime_types() );
|
||||
|
||||
if ( ! $wp_filetype['type'] ) {
|
||||
throw new WC_CLI_Exception( 'woocommerce_cli_invalid_image_type', __( 'Invalid image type.', 'woocommerce' ) );
|
||||
}
|
||||
}
|
||||
|
||||
// Upload the file.
|
||||
|
|
|
|||
|
|
@ -39,6 +39,22 @@ function wc_rest_prepare_date_response( $date ) {
|
|||
return mysql_to_rfc3339( $date );
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns image mime types users are allowed to upload via the API.
|
||||
* @since 2.6.4
|
||||
* @return array
|
||||
*/
|
||||
function wc_rest_allowed_image_mime_types() {
|
||||
return apply_filters( 'woocommerce_rest_allowed_image_mime_types', array(
|
||||
'jpg|jpeg|jpe' => 'image/jpeg',
|
||||
'gif' => 'image/gif',
|
||||
'png' => 'image/png',
|
||||
'bmp' => 'image/bmp',
|
||||
'tiff|tif' => 'image/tiff',
|
||||
'ico' => 'image/x-icon',
|
||||
) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Upload image from URL.
|
||||
*
|
||||
|
|
@ -47,9 +63,8 @@ function wc_rest_prepare_date_response( $date ) {
|
|||
* @return array|WP_Error Attachment data or error message.
|
||||
*/
|
||||
function wc_rest_upload_image_from_url( $image_url ) {
|
||||
$file_name = basename( current( explode( '?', $image_url ) ) );
|
||||
$wp_filetype = wp_check_filetype( $file_name, null );
|
||||
$parsed_url = @parse_url( $image_url );
|
||||
$file_name = basename( current( explode( '?', $image_url ) ) );
|
||||
$parsed_url = @parse_url( $image_url );
|
||||
|
||||
// Check parsed URL.
|
||||
if ( ! $parsed_url || ! is_array( $parsed_url ) ) {
|
||||
|
|
@ -71,6 +86,8 @@ function wc_rest_upload_image_from_url( $image_url ) {
|
|||
}
|
||||
|
||||
// Ensure we have a file name and type.
|
||||
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
|
||||
|
||||
if ( ! $wp_filetype['type'] ) {
|
||||
$headers = wp_remote_retrieve_headers( $response );
|
||||
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
|
||||
|
|
@ -81,6 +98,13 @@ function wc_rest_upload_image_from_url( $image_url ) {
|
|||
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
|
||||
}
|
||||
unset( $headers );
|
||||
|
||||
// Recheck filetype
|
||||
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
|
||||
|
||||
if ( ! $wp_filetype['type'] ) {
|
||||
return new WP_Error( 'woocommerce_rest_invalid_image_type', __( 'Invalid image type.', 'woocommerce' ), array( 'status' => 400 ) );
|
||||
}
|
||||
}
|
||||
|
||||
// Upload the file.
|
||||
|
|
|
|||
Loading…
Reference in New Issue