-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Font Library: add mime type validation for font uploads #53986
Conversation
This pull request has changed or added PHP files. Please confirm whether these changes need to be synced to WordPress Core, and therefore featured in the next release of WordPress. If so, it is recommended to create a new Trac ticket and submit a pull request to the WordPress Core Github repository soon after this pull request is merged. If you're unsure, you can always ask for help in the #core-editor channel in WordPress Slack. Thank you! ❤️ View changed files❔ phpunit/tests/data/fonts/DMSans.woff2 ❔ phpunit/tests/data/fonts/Merriweather.ttf ❔ phpunit/tests/data/fonts/cooper-hewitt.woff ❔ lib/experimental/fonts/font-library/class-wp-font-family.php ❔ lib/experimental/fonts/font-library/class-wp-font-library.php ❔ phpunit/tests/fonts/font-library/wpFontFamily/base.php ❔ phpunit/tests/fonts/font-library/wpFontFamily/install.php ❔ phpunit/tests/fonts/font-library/wpFontFamily/uninstall.php ❔ phpunit/tests/fonts/font-library/wpRestFontLibraryController/installFonts.php |
'ttf' => PHP_VERSION_ID >= 80112 ? 'font/ttf' : 'application/x-font-ttf', | ||
'woff' => PHP_VERSION_ID >= 80112 ? 'font/woff' : 'application/font-woff', | ||
'woff2' => PHP_VERSION_ID >= 80112 ? 'font/woff2' : 'application/font-woff2', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure about checking for a specific PHP version here; I can't see an example of this anywhere else in the codebase. I'm wondering if we could create an array of allowed mime types to loop through, rather than using the PHP_VERSION_ID
check. Something along the lines of:
'ttf' => PHP_VERSION_ID >= 80112 ? 'font/ttf' : 'application/x-font-ttf', | |
'woff' => PHP_VERSION_ID >= 80112 ? 'font/woff' : 'application/font-woff', | |
'woff2' => PHP_VERSION_ID >= 80112 ? 'font/woff2' : 'application/font-woff2', | |
'ttf' => ['font/ttf', 'application/x-font-ttf'], | |
'woff' => ['font/woff', 'application/font-woff'], | |
'woff2' => ['font/woff2', 'application/font-woff2'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. I agree it is not a good approach. But the mime check doesn't support multiple values in core. So, we should proceed with this approach until there is support for multiple values.
b122d31
to
50c4674
Compare
Flaky tests detected in 4349fb94d75243ce07187bf689d74a6c69f7c220. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/6234837952
|
I found that there are at least 3 real mime types detected by WordPress core depending on the PHP_VERSION_ID:
I added a commit to try that. Not sure if it will work as expected. |
I tinkered with this all day, and I was ultimately able to get all of the uploads to work on each version, but I haven't yet solidified the logic that puts the correct string based on the correct version. It's a frustrating one it is. I feel like I'm really close, but ultimately the logic just needs to be tweaked until it works for each version. Ultimately I don't know exactly which version those details changed in. I was just evaluating on minor release versions (7.2, 7.3, 7.4, 8.0, 8.1, 8.2). It's close and I should be able to finish this in the morning with a fresh head. |
add version check for font mimes update ttf mime
79b9bf6
to
4349fb9
Compare
I tested all of the mime times in all of the PHP versions that I could and found the following to work:
That gave me the following logic for setting mime time expectations:
I wasn't able to test 7.2 (I couldn't get any of my environments to run with that version) but since the minimum version of PHP for WordPress is 7.4 I don't think we should try to make an exception for it. At the moment the verion id to switch between |
4349fb9
to
9d0f1e2
Compare
9d0f1e2
to
67ab0b2
Compare
Thank you @matiasbenedetto @pbking for the help and inputs. Updated the mime values based on right PHP versions. All unit tests are working good with all PHP versions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unit Tests are now passing
Went through all scenarios manually with noted versions of PHP and all working as expected.
I believe this is good to 🚢
add_filter( 'upload_mimes', array( 'WP_Font_Library', 'set_allowed_mime_types' ) ); | ||
add_filter( 'upload_dir', array( 'WP_Font_Library', 'set_upload_dir' ) ); | ||
$were_assets_written = $this->download_or_move_font_faces( $files ); | ||
remove_filter( 'upload_dir', array( 'WP_Font_Library', 'set_upload_dir' ) ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we remove the filter as we do with the upload_dir
? I would believe that yes, because otherwise, we would be enabling that globally and that's not the intention I guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried removing that and the mime type function is no longer working. I'm not sure that we can.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that we should bring this in as it stands. Testing showed we may need the global filter, but the local filter (get_upload_overrides()) maybe not.
Either way I believe this should be brought in and we can work out if it makes sense to pare it down.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, seems good to go. If the mimes in get_upload_overrides()
are not necessary, we could remove them, right? Could you add a follow-up issue to remind us to do that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. Removed it here #54647
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work, guys. Thanks for diving into detail on this.
LGTM 🚀
Hi! I'm seeing a few unit test failures (tests introduced in #54490) failing on trunk since this commit. I can't quite work out the cause, hoping folks who worked on this PR might know. Thank you!
|
It's OK they are failing. It seems related to the mime types of the mock files used in the tests. We need to fix the failing ones. Thanks for flagging it @ramonjd . |
Thanks for the quick turnaround!! 🙇🏻 |
Small smoke testing follow-up re: the PHP versions comment from @pbking above:
WordPress 6.3 (and 6.4) still offer support down to PHP 7.0, so PHP < 7.4 is important to test if the version could be a factor. I used Playground running GB The files tested included real samples, fakes, and some that could be accidentally included in a drag-n-drop situation (like a font license text file or alternate format):
|
What?
This adds additional mime type validation for uploaded font files.
Why?
To prevent file uploads without a matching mime type.
How?
It checks file mime type with following list and allows only allowed types.
Testing Instructions
To make the fonts library backend work you need to add this line in your wp-config.php file:
define( 'FONT_LIBRARY_ENABLE', true );
Test with PHP 8.2 version
open Playground link
Try uploading following supported font formats:
Test with PHP a version < 8
Change the PHP version to 7.4 or any other < 8 and Test same set of font uploads.
It should work successfully with all versions of PHP.
Related issues:
Fixes: #53576