IntenseWebs/WordPress
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't allow non-image uploads for custom headers and backgrounds. props kovshenin. fixes #22149.

Browse Source 
git-svn-id: http://core.svn.wordpress.org/trunk@22521 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Nacin
2012-11-10 05:36:37 +00:00
parent 2d13e264a4
commit e14ff50cfb
3 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
wp-admin/includes/ajax-actions.php
View File

@@ -1609,6 +1609,17 @@ function wp_ajax_upload_attachment() {
$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
// If the context is custom header or background, make sure the uploaded file is an image.
if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
$wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'], false );
if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) {
wp_send_json_error( array(
'message' => __( 'The uploaded file is not a valid image. Please try again.' ),
'filename' => $_FILES['async-upload']['name'],
) );
}
}
$attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data );
if ( is_wp_error( $attachment_id ) ) {