Handling email piping attachments and detecting unsupported file types

Ok, seems I was on the right track… I still haven’t found a WordPress function that achieves what I need, but the closest I have found is to use the get_allowed_mime_types function.

I created the following function which checks if the file is within the get_allowed_mime_types array and if so returns true (file processed using wp_insert_attachment, wp_generate_attachment_metadata and wp_update_attachment_metadata) or false (file zipped and then processed using wp_insert_attachment, wp_generate_attachment_metadata and wp_update_attachment_metadata)

function is_upload_allowed( $file ) {
    $filetype = wp_check_filetype( $file );
    $file_ext = $filetype['ext'];
    $mimes = get_allowed_mime_types();
    foreach ( $mimes as $type => $mime ) {
        if ( strpos( $type, $file_ext ) !== false ) {
            return true;
        }
    }
    return false;
}

So my updated code looks like this:

$upload_dir = wp_upload_dir();
$tmp_pathfile="/home/user/public_html/wp-content/uploads/tmp_file.js";
$tmp_filename="tmp_file.js";
$filetype = wp_check_filetype( $tmp_pathfile );
if ( is_upload_allowed( tmp_pathfile ) ) { // This is where I want to check if the file is supported by the WordPress Media Library
    $data = array(
        'guid' => $upload_dir['url'] . "https://wordpress.stackexchange.com/" . $tmp_filename,
        'post_title' => $tmp_filename,
        'post_content' => '',
        'post_status' => 'inherit',
        'post_mime_type' => $filetype['type']
    );
    $theID = wp_insert_attachment( $data, $tmp_pathfile );
    $attach_data = wp_generate_attachment_metadata( $theID, $tmp_pathfile );
    wp_update_attachment_metadata( $theID, $attach_data );
} else { // File not supported by the WordPress Media Library
    $zip_pathfile = $tmp_pathfile . '.zip';
    while ( file_exists( $zip_file ) ) {
        $zip_file = $tmp_pathfile . '_' . time() . '.zip';
    }
    $zip = new ZipArchive();
    if ( $zip->open( $zip_file, ZipArchive::CREATE ) ) {
        $zip->addFile( $tmp_pathfile, $tmp_filename );
        $zip->close();
        $filetype = wp_check_filetype( $zip_file );
        $data = array(
            'guid'           => $zip_file, 
            'post_mime_type' => $filetype['type'],
            'post_title'     => basename( $zip_file ),
            'post_content'   => '',
            'post_status'    => 'inherit'
        );
        $theID = wp_insert_attachment( $data, $zip_file );
        $attach_data = wp_generate_attachment_metadata( $theID, $zip_file );
        wp_update_attachment_metadata( $theID, $attach_data );
        unlink( $tmp_pathfile);
    }
}

It works, would still be happy to hear if there is a builtin WordPress function that achieves the same as the is_upload_allowed function I created.

Related Posts:

  1. How to get WordPress to save upload file beyond web root [closed]
  2. Security: AWS (shared hosting) claims template file malicious
  3. what is a auth_user_file.txt?
  4. How to view PHP on live site
  5. Is moving wp-config outside the web root really beneficial?
  6. Hide the fact a site is using WordPress?
  7. Verifying that I have fully removed a WordPress hack?
  8. Can I Prevent Enumeration of Usernames?
  9. Best way to eliminate xmlrpc.php?
  10. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  11. Are Nonces Useless?
  12. What is the difference between esc_html filter vs attribute_escape filter?
  13. Can upload doc and pdf but not ppt – not permitted for security reasons
  14. Which KSES should be used and when?
  15. How do WordPress Nonces Work?
  16. Protecting direct access to PDF and ZIP unless user logged in (without plugin)
  17. How can I easily verify a core or plugin update has not broken anything?
  18. can not upload file .vtt on wordpress 5.0.1
  19. Disable comment windows for all existing posts (pages/blogposts)
  20. Generate WordPress salt
  21. Vanilla WordPress install, what can/should I put in disable_functions?
  22. Stop wordpress automatically escaping $_POST data
  23. how can i embed wordpress backend in iframe
  24. Handling nonces for actions from guests to logged-in users
  25. WordPress Logout Only If User Click Logout or If User Delete Browser History
  26. Can I force a password change?
  27. How brute-forcer knows that the password is cracked for target username?
  28. wp_insert_post disable HTML filter
  29. What is pclzip.lib.php file that wordfence think it’s a malicious code
  30. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  31. How to disable XML-RPC from Linux command-line in a total way?
  32. How to remove javascript malware in wordpress site [closed]
  33. Completely remove the author url
  34. Securing my WordPress Files and Directories
  35. Restricting access to content
  36. About WordPress site security
  37. Relative security of different releases of WordPress
  38. Is there any point setting the keys and salts in wp-config.php?
  39. Where to store OAuth 2.0 client id and secret?
  40. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  41. Using HTACCESS for Secret Access
  42. Definitive wordpress directory ownership and permissions on linux
  43. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  44. Changing Table Prefixes – once done, am I good to go going forward?
  45. wordpress website host price and security [closed]
  46. How to implement secure frontend image upload? [closed]
  47. Are there security risks in working directly in the themes folder that builds into a theme folder?
  48. How do I get around “Sorry, this file type is not permitted for security reasons”?
  49. Secure WordPress: Change admin
  50. Changing the default header name
  51. how much information can we hide when using wordpress cms?
  52. Is it safe to use a global wp nonce per user instead of a nonce per action?
  53. Wordfence detects change in wp-admin/includes/upgrade.php
  54. Basic password protection without using users and roles
  55. System setting changed by system user
  56. Does meta-data need to be sanitized?
  57. Will there be security updates for WordPress 4.9.9
  58. Any known bugs that could cause disappearance of the wp_users table?
  59. On new server, site got hacked, permissions a bit strange? Please help
  60. 404/500 error on content images if Referer header is from another domain [closed]
  61. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  62. Restrict Access without Creating Users
  63. Switching between security plugins is a risk?
  64. How to obfuscate wp-config.php or code
  65. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  66. How to prevent to direct access of my custom plugin folder/files
  67. Setting up a HIPAA secured form / file upload
  68. Checking for origin of a xmlrpc request
  69. RESTRICT EDIT of PHP files?
  70. wp-content – permissions for files/folders created by apache
  71. How can I restrict access to specific parts of a page, not just the page itself?
  72. User generated content and security
  73. Are major WordPress updates mandatory for security?
  74. i moved wp-config.php outside of public html and this broke my website
  75. Monitor wordpress all external calls
  76. Is it safe to use the basic administration with reduced rights for private member space
  77. Securing WordPress running on Azure platform
  78. Verifying that I have fully removed a WordPress hack?
  79. Spam Registrations
  80. How to Protect Uploads, if User is not Logged In?
  81. How can I have more confidence that WP plugins aren’t getting and storing user data?
  82. Standard Method for Securing a WordPress Site
  83. wordpress security (only one part of the site)
  84. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  85. Any way to disable /wp-login.php redirecting to the site folder?
  86. Folder Permissions + Security Concerns
  87. Malware/Permission bug removal?
  88. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  89. Secure a WordPress website in 2019: one plugin or a combinations of them?
  90. What are the different types of firewall protections available for a WordPress website?
  91. Run a security scan on WordPress site that has .htaccess password [closed]
  92. Is this a WordPress security bug?
  93. Competitor is somehow accessing MetaData on a hidden WordPress site
  94. WordPress Hacks/Defacing [closed]
  95. How to rename files during upload to a random string?
  96. How do you search for backdoors from the previous IT person?
  97. Possible to change email address in keypair?
  98. Why is SSH password authentication a security risk?
  99. Is wp-cron.php vulnerable to external attacks and how to protect it?
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH