.XLSM files restricted

Question

.XLSM files restricted

Closed this issue 8 years ago · 6 comments

Thank you so much for this plugin! It's such a huge help.

I'm posting this here as it seems the original trac ticket is closed (https://core.trac.wordpress.org/ticket/39963).

We can upload almost all of our files again, but have found one file type that is still triggering the security error: .xlsm files.

FILE

WORDPRESS:
    name:        survey_results.xlsm
    type:        application/vnd.ms-excel.sheet.macroEnabled.12
    ext:         xlsm
FILEINFO:
    type:        application/zip
    ext/type:    FALSE
BLOB-MIMES:
    name:        
    type:        FALSE
    ext:         FALSE
    ext/type:    FALSE

=======

Just wanted to let you know.

Answer 1 · 2017-05-03T16:14:39.000Z

Thanks for the report! Real world feedback is really helpful in this cat-and-mouse game, particularly for MS Office files, which are crazy wiggly. On the one hand it speaks to Microsoft's credit that their formats are so flexible, but on the other, wow, probably could just pick a standard or two. Haha.

I assume you're running version 0.5.0 of the WP plugin Lord of the Files (i.e. what spun off from #39963)?

If so, would you mind swapping the aliases.php file with this fresh one from Git? Then give that XLSM file another shot and see if it uploads?

If it does, let me know and I'll push the MIME DB update to the WP plugin.

Answer 2 · 2017-05-03T21:01:24.000Z

So, I was actually using version 0.1.3 (you're moving fast with development!).

Unfortunately, our server is on php 5.3. We're actually upgrading servers and will have php 7, but not for another month.

We do have a test server with php 7 setup so let me sync things over there and test it; may take a day or two to get back to you.

Answer 3 · 2017-05-03T21:10:59.000Z

I did manage to get version 0.1.3 working by adding this to the media-mimes.php file:

	'xlsm' => array(
		'application/vnd.ms-excel.sheet.macroenabled.12',
		'application/vnd.ms-office',
		'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
		'application/zip',
	),

Answer 4 · 2017-05-03T21:45:58.000Z

Thank you so much! And sorry about the requirement bump!

The plugin was originally just a wrapper for the proposed Core patches from #39963, a stopgap so users could fix their sites without having to wait an indeterminate (but surely long) amount of time for an official fix to land.

Ultimately WordPress didn't feel that the security enhancements were necessary and so the bug fix was thrown out with the bathwater. Haha. I didn't want to leave it there, though, and so decided to repurpose the plugin as a more general and permanent upload-related security tool. A few items on the wishlist required a minimum of PHP 5.4 to do well, so rather than leave some operations disabled or weakened for some people (which could lead to a false sense of safety), I opted to just raise the baseline up a little.

Hopefully that doesn't cause you too much grief before your migration to PHP 7. And thanks again for the feedback.

Answer 5 · 2017-05-05T15:14:45.000Z

I just did a little testing on our updated server and the first thing I tried was uploading an xlsm file without Lord of the Files enabled. Figured it would be best to try it without it on first.

Looks like our new environment doesn't have the same problem and the file uploaded fine. Not sure if it's the newer version of php or something else. Not sure I can test this all that well for you since it's working without the plugin.

Answer 6 · 2017-05-05T15:57:40.000Z

Thanks for trying, but no worries. "Inconsistency" is the name of the game. Haha.

The type information returned by the fileinfo.so PHP extension will vary based on the operating system, PHP version, library version, and various system configurations. To make things crazier, some file formats (like XLS) allow for multiple internal structures, many of which end up with different MIME type responses even from a single server.

What blob-mimes actually does is maintain a massive database of MIME history so that it can answer simple questions like, "Does it make sense that file.xxx is believed to be application/whatever?"

Lord of the Files brings this database to WordPress so that inconsistent server responses can be mapped to the singular whitelist the CMS uses to accept or reject file uploads. Otherwise if WordPress thinks a WOFF is font/x-woff and PHP thinks it is application/font-woff (both common associations at one point, neither correct today), the upload would fail.