WordPress 'Upload File Types" setting for multisite not working correctly for Pressbooks

[mcgratay]

Description

Super admins should be able to whitelist file extensions across a whole network when that extension isn't already permitted by default. This prevents the "Sorry, this file type is not permitted for security reasons" notification that regular users receive when uploading disallowed file types.

This setting no longer works, and file extensions added and saved in the 'Upload file type' textbox are still banned across the network. Tested file types include:

• nlogo
• mscx
• musicxml

Users report that nlogo file types were permitted when they began the project, but have since been resulting in the same security error.

Relevant threads:

• https://wordpress.org/support/topic/upload-file-types-not-working-in-multisite-settings/

Steps to Reproduce

1. Go to Network Admin > Settings > Network Settings and scroll to the 'Upload File Types' setting
2. Add nlogo or another file extension not permitted on the network by default, then save changes
3. Access the editor for a chapter, then click Add Media
4. Drag a sample file of the file type you just whitelisted into the media drag and drop area
5. See if an error appears

Expected behavior: Super admins can choose which file types are permitted network-wide

Actual behavior: Only WordPress default file types are permitted network-wide

[dac514]

Would like to use this bug as an opportunity to better understand:

• https://github.com/Blobfolio/blob-mimes/tree/master/wp
• https://github.com/Blobfolio/blob-mimes/blob/138ba7db9730143c450c3a14e805988b67d95af5/wp/lib/blobfolio/wp/bm/mime/aliases.php#L4186
• https://wordpress.org/plugins/blob-mimes/

Particularly this claim:

Fixes issues related to #40175 that have been present since WordPress 4.7.1 https://core.trac.wordpress.org/ticket/40175

[mcgratay]

Additional file extensions to evaluate include:

• py
• pyc
• txt
• fasta
• sh
• r
• rdata
• table
• vcf

[SteelWagstaff]

For the nlogo issue, there's a Unizin bedrock plugin that allows a few extra mime types: https://github.com/pressbooks/wisc-bedrock/blob/master/web/app/mu-plugins/unizin-allow-upload-extensions.php. Not sure if it's no longer installed or has stopped working or if the issue is something else altogether.

[SteelWagstaff]

Some context from the past: https://wpengine.com/support/non-image-upload-errors-wordpress-4-7-1/ + https://core.trac.wordpress.org/ticket/39550 + https://core.trac.wordpress.org/ticket/40175 (@greatislander was quite knowledgeable on these issues).

[greatislander]

Would be happy to chat about this at some point, @SteelWagstaff, @connerbw & @mcgratay. The underlying issue hasn't been fully resolved in WordPress core and there are also nuances in terms of how the network admin whitelist interacts with uploaded file validation.

[dac514]

If "Lord of the files" is installed, and the Network Administrator wants to allow extra file extensions under Network Settings, and we can guess the mime type, then Upload File Types should work now.

Bonus: If SVGs have been enabled, "Lord of the files" will sanitize them at the upload stage to make sure they do not contain any dangerous exploits

LOTF can be installed on a network by running: composer require wpackagist-plugin/blob-mimes

It installs a debug menu that can only be seen by super-admins, or administrators (capability: manage_options)

[dac514]

Related: https://github.com/Blobfolio/blob-mimes/issues/9