foreach ( $mimes as $ext_preg => $mime_match ) {
$ext_preg = '!\.(' . $ext_preg . ')$!i';
if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
$type = $mime_match;
$ext = $ext_matches[1];
break;
}
}
return compact( 'ext', 'type' );
}
文件的类型被设置为匹配所提供扩展名的预定义MIME类型,扩展名是从匹配最后一个句号后mime ext.字符串的正则表达式获得的。如果$type列表中没有扩展名,$ext就会被设置为FALSE,wordpress会生成以下出错消息:“File type does not meet security guidelines. Try another”。
以下函数在文件上传之前对文件名执行了其他一些检查:
$filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback );
wp-includes/functions.php:
line 2096:
function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) {
// sanitize the file name before we begin processing
$filename = sanitize_file_name($filename);
---[cut, code that only matters if uploaded file already exists]---
line 2126:
return $filename;
}
如果要完全了解wordpress所执行的文件过滤,还要了解sanitize_file_name()函数:
wp-includes/formatting.php:
line 601:
function sanitize_file_name( $filename ) {
$filename_raw = $filename;
$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", \
",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", \
chr(0));
$special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw); $filename = str_replace($special_chars, '', $filename);
$filename = preg_replace('/[\s-]+/', '-', $filename);
$filename = trim($filename, '.-_');
return apply_filters('sanitize_file_name', $filename, $filename_raw);
}
过滤过程没有考虑到带有多个扩展名的文件,用户可以上传带有.php.jpg扩展名的任意PHP脚本,并通过直接请求上传的文件来执行恶意脚本。