@param string $file_type */ private function add_file_extension_to_allowed_extensions_list( $file_type ) { $file_handler = $this->file_type_handlers[ $file_type ]; $file_extension = $file_handler->get_file_extension(); // Only add the file extension to the list if it doesn't already exist in it. if ( ! in_array( $file_extension, $this->allowed_file_extensions, true ) ) { $this->allowed_file_extensions[] = $file_extension; } } /** * Save Base64 as File * * Saves a Base64 string as a .tmp file in Elementor's temporary files directory. * * @since 3.3.0 * @access private * * @param $file * @param array|null $allowed_file_extensions * * @return array|\WP_Error */ private function save_base64_to_tmp_file( $file, $allowed_file_extensions = null ) { if ( empty( $file['fileName'] ) || empty( $file['fileData'] ) ) { return new \WP_Error( 'file_error', self::INVALID_FILE_CONTENT ); } $file_extension = pathinfo( $file['fileName'], PATHINFO_EXTENSION ); $is_file_type_allowed = $this->is_file_type_allowed( $file_extension, $allowed_file_extensions ); if ( is_wp_error( $is_file_type_allowed ) ) { return $is_file_type_allowed; } $file_content = base64_decode( $file['fileData'] ); // phpcs:ignore // If the decode fails if ( ! $file_content ) { return new \WP_Error( 'file_error', self::INVALID_FILE_CONTENT ); } $temp_filename = $this->create_temp_file( $file_content, $file['fileName'] ); if ( is_wp_error( $temp_filename ) ) { return $temp_filename; } return [ // the original uploaded file name 'name' => $file['fileName'], // The path to the temporary file 'tmp_name' => $temp_filename, ]; } /** * Validate File * * @since 3.3.0 * @access private * * @param array $file * @param array $file_extensions Optional * @return bool|\WP_Error */ private function validate_file( array $file, $file_extensions = [] ) { $uploaded_file_name = isset( $file['name'] ) ? $file['name'] : $file['tmp_name']; $file_extension = pathinfo( $uploaded_file_name, PATHINFO_EXTENSION ); if ( ! $this->is_elementor_wp_media_upload() ) { $is_file_type_allowed = $this->is_file_type_allowed( $file_extension, $file_extensions ); if ( is_wp_error( $is_file_type_allowed ) ) { return $is_file_type_allowed; } } $file_type_handler = $this->get_file_type_handlers( $file_extension ); // If Elementor does not have a handler for this file type, don't block it. if ( ! $file_type_handler ) { return true; } // If there is a File Type Handler for the uploaded file, it means it is a non-standard file type. In this case, // we check if unfiltered file uploads are enabled or not before allowing it. if ( ! self::are_unfiltered_uploads_enabled() ) { $error = 'json' === $file_extension ? esc_html__( 'You don\'t have permission to upload JSON files. Contact the administrator.', 'elementor' ) : esc_html__( 'This file is not allowed for security reasons.', 'elementor' ); return new \WP_Error( Exceptions::FORBIDDEN, $error ); } // Here is each file type handler's chance to run its own specific validations return $file_type_handler->validate_file( $file ); } /** * Is File Type Allowed * * Checks whether the passed file extension is allowed for upload. * * @since 3.5.0 * @access private * * @param $file_extension * @param $filtered_file_extensions * @return bool|\WP_Error */ private function is_file_type_allowed( $file_extension, $filtered_file_extensions ) { $allowed_file_extensions = $this->get_allowed_file_extensions(); if ( $filtered_file_extensions ) { $allowed_file_extensions = array_intersect( $allowed_file_extensions, $filtered_file_extensions ); } $is_allowed = false; // Check if the file type (extension) is in the allowed extensions list. If it is a non-standard file type (not // enabled by default in WordPress) and unfiltered file uploads are not enabled, it will not be in the allowed // file extensions list. foreach ( $allowed_file_extensions as $allowed_extension ) { if ( preg_match( '/' . $allowed_extension . '/', $file_extension ) ) { $is_allowed = true; break; } } if ( ! $is_allowed ) { $is_allowed = new \WP_Error( Exceptions::FORBIDDEN, 'Uploading this file type is not allowed.' ); } /** * Elementor File Type Allowed * * Allows setting file types * * @since 3.5.0 * * @param bool|\WP_Error $is_allowed */ return apply_filters( 'elementor/files/allow-file-type/' . $file_extension, $is_allowed ); } /** * Remove Directory with Files * * @since 3.3.0 * @access private * * @param string $dir * @return bool */ private function remove_directory_with_files( $dir ) { $dir_iterator = new \RecursiveDirectoryIterator( $dir, \RecursiveDirectoryIterator::SKIP_DOTS ); foreach ( new \RecursiveIteratorIterator( $dir_iterator, \RecursiveIteratorIterator::CHILD_FIRST ) as $name => $item ) { if ( is_dir( $name ) ) { rmdir( $name ); } elseif ( is_file( $name ) ) { unlink( $name ); } } return rmdir( $dir ); } /** * Get Allowed File Extensions * * Retrieve an array containing the list of file extensions allowed for upload. * * @since 3.3.0 * @access private * * @return array file extension/s */ private function get_allowed_file_extensions() { if ( ! $this->allowed_file_extensions ) { $this->allowed_file_extensions = array_keys( get_allowed_mime_types() ); foreach ( $this->get_file_type_handlers() as $file_type => $handler ) { if ( $handler->is_upload_allowed() ) { // Add the file extension to the allowed extensions list only if unfiltered files upload is enabled. $this->add_file_extension_to_allowed_extensions_list( $file_type ); } } } return $this->allowed_file_extensions; } public function __construct() { $this->register_file_types(); add_filter( 'upload_mimes', [ $this, 'support_unfiltered_elementor_file_uploads' ] ); add_filter( 'wp_handle_upload_prefilter', [ $this, 'handle_elementor_wp_media_upload' ] ); add_filter( 'wp_check_filetype_and_ext', [ $this, 'check_filetype_and_ext' ], 10, 4 ); // Ajax. add_action( 'elementor/ajax/register_actions', [ $this, 'register_ajax_actions' ] ); } }