Lord of the Files: Enhanced Upload Security

설명

WordPress relies mostly on name-based validation when deciding whether or not to allow a particular file, leaving the door open for various kinds of attacks.

Lord of the Files adds to this content-based validation and sanitizing, making sure that files are what they say they are and safe for inclusion on your site.

The main features include:

  • Robust real filetype detection;
  • Full MIME alias mapping;
  • SVG sanitization (if SVG uploads have been independently allowed);
  • File upload validation debugger;
  • Fixes issues related to #40175 that have been present since WordPress 4.7.1.
  • Fixes ambiguous media extensions #40921

Requirements

  • WordPress 5.2 or later.
  • PHP 7.2 or later.
  • dom PHP extension.
  • fileinfo PHP extension.
  • mbstring PHP extension.
  • xml PHP extension.

Please note: it is not safe to run WordPress atop a version of PHP that has reached its End of Life. Future releases of this plugin might, out of necessity, drop support for old, unmaintained versions of PHP. To ensure you continue to receive plugin updates, bug fixes, and new features, just make sure PHP is kept up-to-date. 🙂

Privacy Policy

This plugin does not make use of or collect any “Personal Data”.

스크린샷

  • Example output from Tools > Debug File Validation.
  • The plugin includes a settings wizard under Settings > File Settings.

설치

Nothing fancy! You can use the built-in installer on the Plugins page or extract and upload the blob-mimes folder to your plugins directory via FTP.

To install this plugin as Must-Use, download, extract, and upload the blob-mimes folder to your mu-plugins directory and follow the third example listed under Caveats; the main file for this plugin is blob-mimes/index.php.

Please note: MU Plugins are removed from the usual update-checking process, so you will need to handle all future updates manually.

FAQ

Does this require any theme or config changes?

This plugin is intended to be an activate-and-forget sort of affair for most users. All features are enabled by default.

But if you’re a developer or system administrator, you might take a peek at Tools > File Validation Reference for a list of public filters you can hook into to change things up, and Settings > File Settings for global configuration overrides.

This has mostly helped but I am still having trouble with one file…

While this plugin extends MIME alias handling more than 20-fold(!), we are still busy tracking down all the edge cases.

Please go to Tools > Debug File Validation and post the output from that page into a new support ticket for this plugin.

We’ll gladly see if we can cook up a fix or workaround!

Does this plugin enable SVG support?

No. This plugin does not modify your site’s allowed upload types (see e.g. upload_mimes for that). However if SVGs are otherwise enabled for your site, this plugin will sanitize them at the upload stage to make sure they do not contain any dangerous exploits.

There are a number of SVG-related filters that can be used to modify the sanitization behavior. Take a look at Tools > File Validation Reference for more information.

If you find the filters too aggressive, add const LOTF_NO_SANITIZE_SVGS = true; to your wp-config.php to disable the extra sanitizing.

후기

2019년 September 5일
this plugin made the wpmu file upload list work to allow correctly svg and other types. thank you!
2017년 November 6일
I dealt with upload issues and Josh (along with his creation - the LoTF plugin) helped mi to solve them.
2017년 August 22일
thanks, this helped me out!
모든 6 평가 읽기

기여자 & 개발자

“Lord of the Files: Enhanced Upload Security”(은)는 오픈 소스 소프트웨어입니다. 다음의 사람들이 이 플러그인에 기여하였습니다.

기여자

자국어로 “Lord of the Files: Enhanced Upload Security”(을)를 번역하십시오.

개발에 관심이 있으십니까?

코드 탐색하기는, SVN 저장소를 확인하시거나, 개발 기록RSS로 구독하십시오.

변경이력

1.1.8

  • [Misc] Update MIME database.

1.1.7

  • [Misc] Update MIME database.

1.1.6

  • [Fix] Improve MuseScore detection.
  • [Misc] Update MIME database.

1.1.5

  • [Fix] Improve GPX detection.
  • [Misc] Update MIME database.

1.1.4

  • [Remove] Remove the plugin contributor monitoring feature.