From 5efc326c3417768e02fa3cae2309a666f184d847 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 18 Oct 2020 21:04:33 +0000 Subject: [PATCH] Media: Add an `image_sideload_extensions` filter to the list of allowed file extensions when sideloading an image from a URL. Props paulschreiber, hellofromTonya Fixes #50695 git-svn-id: https://develop.svn.wordpress.org/trunk@49198 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/media.php | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/src/wp-admin/includes/media.php b/src/wp-admin/includes/media.php index e2f21426dd..1efea2f0ee 100644 --- a/src/wp-admin/includes/media.php +++ b/src/wp-admin/includes/media.php @@ -980,8 +980,29 @@ function wp_media_upload_handler() { function media_sideload_image( $file, $post_id = 0, $desc = null, $return = 'html' ) { if ( ! empty( $file ) ) { + $allowed_extensions = array( 'jpg', 'jpeg', 'jpe', 'png', 'gif' ); + + /** + * Filters the list of allowed file extensions when sideloading an image from a URL. + * + * The default allowed extensions are: + * + * - `jpg` + * - `jpeg` + * - `jpe` + * - `png` + * - `gif` + * + * @since 5.6.0 + * + * @param string[] $allowed_extensions Array of allowed file extensions. + * @param string $file The URL of the image to download. + */ + $allowed_extensions = apply_filters( 'image_sideload_extensions', $allowed_extensions, $file ); + $allowed_extensions = array_map( 'preg_quote', $allowed_extensions ); + // Set variables for storage, fix file filename for query strings. - preg_match( '/[^\?]+\.(jpe?g|jpe|gif|png)\b/i', $file, $matches ); + preg_match( '/[^\?]+\.(' . implode( '|', $allowed_extensions ) . ')\b/i', $file, $matches ); if ( ! $matches ) { return new WP_Error( 'image_sideload_failed', __( 'Invalid image URL.' ) );