Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[2.6] Only allow image MIME type upload via APIs

This commit is contained in:
Mike Jolley 2016-07-21 16:20:13 +01:00
parent fb18af837c
commit 4f5896d908
4 changed files with 74 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
includes/api/legacy/v2/class-wc-api-products.php
View File

@ -1804,9 +1804,8 @@ class WC_API_Products extends WC_API_Resource {
* @throws WC_API_Exception * @throws WC_API_Exception
*/ */
public function upload_product_image( $image_url ) { public function upload_product_image( $image_url ) {
$file_name = basename( current( explode( '?', $image_url ) ) ); $file_name = basename( current( explode( '?', $image_url ) ) );
$wp_filetype = wp_check_filetype( $file_name, null ); $parsed_url = @parse_url( $image_url );
$parsed_url = @parse_url( $image_url );
// Check parsed URL // Check parsed URL
if ( ! $parsed_url || ! is_array( $parsed_url ) ) { if ( ! $parsed_url || ! is_array( $parsed_url ) ) {
@ -1828,6 +1827,8 @@ class WC_API_Products extends WC_API_Resource {
} }
// Ensure we have a file name and type // Ensure we have a file name and type
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
if ( ! $wp_filetype['type'] ) { if ( ! $wp_filetype['type'] ) {
$headers = wp_remote_retrieve_headers( $response ); $headers = wp_remote_retrieve_headers( $response );
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) { if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
@ -1838,6 +1839,13 @@ class WC_API_Products extends WC_API_Resource {
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] ); $file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
} }
unset( $headers ); unset( $headers );
// Recheck filetype
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
if ( ! $wp_filetype['type'] ) {
throw new WC_API_Exception( 'woocommerce_api_invalid_product_image', __( 'Invalid image type.', 'woocommerce' ), 400 );
}
} }
// Upload the file // Upload the file

14
includes/api/legacy/v3/class-wc-api-products.php
View File

@ -2360,9 +2360,8 @@ class WC_API_Products extends WC_API_Resource {
* @return int|WP_Error Attachment id * @return int|WP_Error Attachment id
*/ */
protected function upload_image_from_url( $image_url, $upload_for = 'product_image' ) { protected function upload_image_from_url( $image_url, $upload_for = 'product_image' ) {
$file_name = basename( current( explode( '?', $image_url ) ) ); $file_name = basename( current( explode( '?', $image_url ) ) );
$wp_filetype = wp_check_filetype( $file_name, null ); $parsed_url = @parse_url( $image_url );
$parsed_url = @parse_url( $image_url );
// Check parsed URL. // Check parsed URL.
if ( ! $parsed_url || ! is_array( $parsed_url ) ) { if ( ! $parsed_url || ! is_array( $parsed_url ) ) {
@ -2384,6 +2383,8 @@ class WC_API_Products extends WC_API_Resource {
} }
// Ensure we have a file name and type. // Ensure we have a file name and type.
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
if ( ! $wp_filetype['type'] ) { if ( ! $wp_filetype['type'] ) {
$headers = wp_remote_retrieve_headers( $response ); $headers = wp_remote_retrieve_headers( $response );
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) { if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
@ -2394,6 +2395,13 @@ class WC_API_Products extends WC_API_Resource {
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] ); $file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
} }
unset( $headers ); unset( $headers );
// Recheck filetype
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
if ( ! $wp_filetype['type'] ) {
throw new WC_API_Exception( 'woocommerce_api_invalid_' . $upload_for, __( 'Invalid image type.', 'woocommerce' ), 400 );
}
} }
// Upload the file. // Upload the file.

26
includes/cli/class-wc-cli-product.php
View File

@ -1992,6 +1992,22 @@ class WC_CLI_Product extends WC_CLI_Command {
return $taxonomy; return $taxonomy;
} }
/**
* Returns image mime types users are allowed to upload via the API.
* @since 2.6.4
* @return array
*/
private function allowed_image_mime_types() {
return apply_filters( 'woocommerce_cli_allowed_image_mime_types', array(
'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tiff|tif' => 'image/tiff',
'ico' => 'image/x-icon',
) );
}
/** /**
* Upload image from URL * Upload image from URL
* *
@ -2002,7 +2018,6 @@ class WC_CLI_Product extends WC_CLI_Command {
*/ */
private function upload_product_image( $image_url ) { private function upload_product_image( $image_url ) {
$file_name = basename( current( explode( '?', $image_url ) ) ); $file_name = basename( current( explode( '?', $image_url ) ) );
$wp_filetype = wp_check_filetype( $file_name, null );
$parsed_url = @parse_url( $image_url ); $parsed_url = @parse_url( $image_url );
// Check parsed URL // Check parsed URL
@ -2025,6 +2040,8 @@ class WC_CLI_Product extends WC_CLI_Command {
} }
// Ensure we have a file name and type // Ensure we have a file name and type
$wp_filetype = wp_check_filetype( $file_name, $this->allowed_image_mime_types() );
if ( ! $wp_filetype['type'] ) { if ( ! $wp_filetype['type'] ) {
$headers = wp_remote_retrieve_headers( $response ); $headers = wp_remote_retrieve_headers( $response );
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) { if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
@ -2035,6 +2052,13 @@ class WC_CLI_Product extends WC_CLI_Command {
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] ); $file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
} }
unset( $headers ); unset( $headers );
// Recheck filetype
$wp_filetype = wp_check_filetype( $file_name, $this->allowed_image_mime_types() );
if ( ! $wp_filetype['type'] ) {
throw new WC_CLI_Exception( 'woocommerce_cli_invalid_image_type', __( 'Invalid image type.', 'woocommerce' ) );
}
} }
// Upload the file. // Upload the file.

30
includes/wc-rest-functions.php
View File

@ -39,6 +39,22 @@ function wc_rest_prepare_date_response( $date ) {
return mysql_to_rfc3339( $date ); return mysql_to_rfc3339( $date );
} }
/**
* Returns image mime types users are allowed to upload via the API.
* @since 2.6.4
* @return array
*/
function wc_rest_allowed_image_mime_types() {
return apply_filters( 'woocommerce_rest_allowed_image_mime_types', array(
'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tiff|tif' => 'image/tiff',
'ico' => 'image/x-icon',
) );
}
/** /**
* Upload image from URL. * Upload image from URL.
* *
@ -47,9 +63,8 @@ function wc_rest_prepare_date_response( $date ) {
* @return array|WP_Error Attachment data or error message. * @return array|WP_Error Attachment data or error message.
*/ */
function wc_rest_upload_image_from_url( $image_url ) { function wc_rest_upload_image_from_url( $image_url ) {
$file_name = basename( current( explode( '?', $image_url ) ) ); $file_name = basename( current( explode( '?', $image_url ) ) );
$wp_filetype = wp_check_filetype( $file_name, null ); $parsed_url = @parse_url( $image_url );
$parsed_url = @parse_url( $image_url );
// Check parsed URL. // Check parsed URL.
if ( ! $parsed_url || ! is_array( $parsed_url ) ) { if ( ! $parsed_url || ! is_array( $parsed_url ) ) {
@ -71,6 +86,8 @@ function wc_rest_upload_image_from_url( $image_url ) {
} }
// Ensure we have a file name and type. // Ensure we have a file name and type.
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
if ( ! $wp_filetype['type'] ) { if ( ! $wp_filetype['type'] ) {
$headers = wp_remote_retrieve_headers( $response ); $headers = wp_remote_retrieve_headers( $response );
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) { if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
@ -81,6 +98,13 @@ function wc_rest_upload_image_from_url( $image_url ) {
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] ); $file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
} }
unset( $headers ); unset( $headers );
// Recheck filetype
$wp_filetype = wp_check_filetype( $file_name, wc_rest_allowed_image_mime_types() );
if ( ! $wp_filetype['type'] ) {
return new WP_Error( 'woocommerce_rest_invalid_image_type', __( 'Invalid image type.', 'woocommerce' ), array( 'status' => 400 ) );
}
} }
// Upload the file. // Upload the file.