WP upload/select image , isn’t this a security issue?

Have no idea were that code snippet comes from but security for uploaded files should be addressed in three steps

  1. Upload permission should be restricted only to people you trust (assuming you are the admin/owner), and security is just part of the reason (think someone uploading porn to a church site)

  2. You should not let the php interpreter execute anything in the uploads directory. This will prevent people uploading and then executing rouge php scripts on your server.

  3. Any file which is not of an approved extension serve as a simple octet stream. Configured properly this will prevent people uploading JS and using them for cookie theft. A twist on it is to serve uploaded files from a different domain.

How to implement steps 2 and 3 depends on type of web sever you use.

Related Posts:

  1. simple solution for restricting access to (some) uploads/downloads
  2. Protecting direct access to PDF and ZIP unless user logged in (without plugin)
  3. What permissions does wp-content/uploads need?
  4. can not upload file .vtt on wordpress 5.0.1
  5. What are the security reasons to disallow Microsoft Word uploads?
  6. Password protect some uploaded files, so only logged-in users can view them
  7. How to protect uploads in multisite if user is not logged in?
  8. File Upload Permissions
  9. Extend the list of MIME-types supported by the builtin uploader in 3.3
  10. How to safely allow user upload on CPTs?
  11. making media URL secured
  12. Is it safe to allow non-admin users access to media uploader
  13. Is it safe to upload JSON files to upload folder?
  14. Setting up a HIPAA secured form / file upload
  15. Where to store sensitive uploaded file?
  16. What is the best way to upload a temporary & sensitive file and then delete it when done
  17. Basic File/Post restriction plugin
  18. Auto shortlink for file uploads
  19. How to parse an image that was just uploaded to make sure it doesn’t contain malicious code?
  20. How does WP media uploader create the 3 different sized images, and how can I duplicate it
  21. Create image formats with different qualities when uploading
  22. Which filters or actions to use after a media upload and delete?
  23. wp_delete_attachment doesn’t delete images in wp-content/uploads/
  24. Force WordPress 3.3 to use Flash uploader
  25. How can I speed up a slow loading media library?
  26. What to do with unattached logos and header uploaded via native wordpress uploader?
  27. upload_mimes filter has no effect
  28. How can you limit the number of images / videos that can be uploaded to a WordPress post
  29. Failure upgrading / updating site to WordPress 4.7
  30. Moving Media Library
  31. Add item to media library from blob or dataUrl
  32. How do I enable the customize theme page to accept svg’s?
  33. Frontend Simple Local Avatar upload
  34. WP3.5 Media Uploader – how to make it accept multiple images?
  35. How to define a remote uploads directory?
  36. Looks like image resize is not working well
  37. resize images not crop
  38. Trying to add filename over image in Media Browser
  39. How Can I pass an image file to wp_handle_upload?
  40. Setting wp_temp_dir and permissions not working for “Missing A Temporary Folder” error
  41. Allowed memory size exhausted. WordPress side solution
  42. frontend upload return async-ajax.php 302
  43. Prevent File Uploads other than images
  44. How can I upload a file with no extension
  45. how to change max file upload size WordPress 4.9.8 [closed]
  46. Media handle sideload not working
  47. How to overwrite wp_unique_filename logic
  48. How to change upload directory based on frontend form input name or ID?
  49. capability for upload on front-end (An error occurred in the upload. Please try again later )
  50. How to solve: An error occured in the upload
  51. What function can I use to override the multisite maximum file size upload restriction?
  52. Flatten media files in uploads directory via linux terminal eliminating thumbnails?
  53. List and show uploaded pdf files dynamically
  54. WordPress Fancybox Resize Large Image
  55. WordPress suddenly starts uploading media to an old (backdated) folder
  56. Delete files uploaded using the wp_upload_bits() function
  57. XML-RPC: How to add media caption to uploaded image?
  58. Interface for logged-in users to upload/download files
  59. wp_handle_upload() does not list uploaded file in the media library?
  60. wordpress media upload given An error occurred in the upload. Please try again later
  61. WordPress won’t write in a CIFS drive from himself
  62. WordPress Media Library – Upload space used
  63. Local WordPress install plugin wont upload image
  64. What relationship determines which images appear in ‘uploaded to post’ in edit/add post media dialog
  65. User permissions to upload images
  66. Why is WordPress’ file upload limit so low? Is changing it harmful?
  67. How to get the uploaded image url in media_handle_upload()?
  68. How to change format of file link ( Name ) when insert from media uploder
  69. Using dashboard uploader instead of FTP
  70. Use wp_handle_upload outside of a POST
  71. admin notice on Insert Media popup screen
  72. How to allow .bin files upload?
  73. Add SWF file to wordpress through custom template
  74. Uploading flash flipbook to mu wordpress site
  75. Uploaded images result in a file url with full path on disk appended
  76. Migrating WordPress Uploads To S3 Object Storage
  77. Upload Video using wordpress rest api with ionic
  78. download images from wp-content/uploads/year/month/DSC_123.jpg
  79. SVG not displaying in Media Tab in Backend
  80. Remove files unrelated to WordPress from uploads
  81. Images not displaying on site or media library
  82. Picture upload issue – broken thumbnail
  83. Hide obj path in source code
  84. Media not displaying other users uploads – WordPress 4.9.2
  85. Unable to upload anything to WordPress site
  86. Creating an Uploads folder with post ID
  87. I migrated WPMU site: Unable to create directory uploads/… Desperate for help!
  88. “Could not write file” error in wp_upload_bits function
  89. Add media button does not insert image in the editor
  90. How to find out if all enqueued files are uploaded?
  91. Files larger than 500 kilobytes are not allowed
  92. How to split my uploaded media into directories?
  93. All files unattached in Media Library
  94. WordPress media upload multiple images
  95. Media Upload Directory to MMYY instead of YYYY/MM
  96. Is there a way to force Featured image to show as attachement?
  97. Auto-Import of WXR File
  98. how upload images and videos to specific folder like wp-content\uploads\folder-name
  99. Media upload takes too long
  100. Problems with defining UPLOADS constant