Checks if the specified file is allowed to be uploaded based on its actual MIME type.
Using this function, you can check if the uploaded file is permitted in WordPress. You can upload a file, for example, using download_url().
How the function works:
First, it determines the MIME type of the file based on the extension taken from $filename. For this, it uses the list of MIME types allowed for upload get_allowed_mime_types().
Then, it retrieves the actual MIME type of the file.
For images, the actual MIME type is determined by the function wp_get_image_mime(). For all other files, it uses the function finfo_file().
It then compares the obtained and actual MIME types, overwriting the obtained one if it does not match the actual.
It checks again if the resulting MIME type is allowed for upload. Then, if:
Allowed for upload - it will return an array of data with the actual MIME type and the appropriate file extension.
Not allowed for upload - it will return an array of empty data. This means that the file did not pass the check.
For images (WP 6.0)
If it is determined that the file extension specified in $filename does not match the actual file type, then the array element proper_filename will contain the name of the file with the correct extension - which corresponds to the actual MIME type of the file. That is, the provided file name will be corrected. For example, if we specified file.png but the actual file type is jpg, then the name will change to file.jpg, and this change will be reflected in the array element proper_filename.
This function's check is performed when uploading files to the media library through the functions:
Array. An array of data with the file extension, its MIME type, and if the extension was incorrectly specified, the correct file name (with the correct extension). The element proper_filename is created only for images (svg is not considered an image).
The full path to the physical file on disk (its extension does not matter). The actual MIME type of the file will be determined from it.
$filename(string) (required)
The name of the file. It can be anything. Usually, the actual file from $file is copied with this name if the check passes.
$mimes(string[])
An array of allowed MIME types for upload. Where the key is the extension, and the value is the corresponding MIME type. A regular expression can be specified in the key. For example:
Suppose we upload a picture from a site that we can't trust for sure. So after uploading we need to check if it is really an image file and not some other type of file with the same extension as the image, for example, png, jpg, etc.
$file_url = 'http://placekitten.com/200/300';
// for the download_url function
require_once ABSPATH . 'wp-admin/includes/file.php';
$tmpfile = download_url( $file_url );
$checked = wp_check_filetype_and_ext( $tmpfile, 'kitten.jpg' );
print_r( $checked );
function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) {
$proper_filename = false;
// Do basic extension validation and MIME mapping.
$wp_filetype = wp_check_filetype( $filename, $mimes );
$ext = $wp_filetype['ext'];
$type = $wp_filetype['type'];
// We can't do any further validation without a file to work with.
if ( ! file_exists( $file ) ) {
return compact( 'ext', 'type', 'proper_filename' );
}
$real_mime = false;
// Validate image types.
if ( $type && str_starts_with( $type, 'image/' ) ) {
// Attempt to figure out what type of image it actually is.
$real_mime = wp_get_image_mime( $file );
$heic_images_extensions = array(
'heif',
'heics',
'heifs',
);
if ( $real_mime && ( $real_mime !== $type || in_array( $ext, $heic_images_extensions, true ) ) ) {
/**
* Filters the list mapping image mime types to their respective extensions.
*
* @since 3.0.0
*
* @param array $mime_to_ext Array of image mime types and their matching extensions.
*/
$mime_to_ext = apply_filters(
'getimagesize_mimes_to_exts',
array(
'image/jpeg' => 'jpg',
'image/png' => 'png',
'image/gif' => 'gif',
'image/bmp' => 'bmp',
'image/tiff' => 'tif',
'image/webp' => 'webp',
'image/avif' => 'avif',
/*
* In theory there are/should be file extensions that correspond to the
* mime types: .heif, .heics and .heifs. However it seems that HEIC images
* with any of the mime types commonly have a .heic file extension.
* Seems keeping the status quo here is best for compatibility.
*/
'image/heic' => 'heic',
'image/heif' => 'heic',
'image/heic-sequence' => 'heic',
'image/heif-sequence' => 'heic',
)
);
// Replace whatever is after the last period in the filename with the correct extension.
if ( ! empty( $mime_to_ext[ $real_mime ] ) ) {
$filename_parts = explode( '.', $filename );
array_pop( $filename_parts );
$filename_parts[] = $mime_to_ext[ $real_mime ];
$new_filename = implode( '.', $filename_parts );
if ( $new_filename !== $filename ) {
$proper_filename = $new_filename; // Mark that it changed.
}
// Redefine the extension / MIME.
$wp_filetype = wp_check_filetype( $new_filename, $mimes );
$ext = $wp_filetype['ext'];
$type = $wp_filetype['type'];
} else {
// Reset $real_mime and try validating again.
$real_mime = false;
}
}
}
// Validate files that didn't get validated during previous checks.
if ( $type && ! $real_mime && extension_loaded( 'fileinfo' ) ) {
$finfo = finfo_open( FILEINFO_MIME_TYPE );
$real_mime = finfo_file( $finfo, $file );
if ( PHP_VERSION_ID < 80100 ) { // finfo_close() has no effect as of PHP 8.1.
finfo_close( $finfo );
}
$google_docs_types = array(
'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
);
foreach ( $google_docs_types as $google_docs_type ) {
/*
* finfo_file() can return duplicate mime type for Google docs,
* this conditional reduces it to a single instance.
*
* @see https://bugs.php.net/bug.php?id=77784
* @see https://core.trac.wordpress.org/ticket/57898
*/
if ( 2 === substr_count( $real_mime, $google_docs_type ) ) {
$real_mime = $google_docs_type;
}
}
// fileinfo often misidentifies obscure files as one of these types.
$nonspecific_types = array(
'application/octet-stream',
'application/encrypted',
'application/CDFV2-encrypted',
'application/zip',
);
/*
* If $real_mime doesn't match the content type we're expecting from the file's extension,
* we need to do some additional vetting. Media types and those listed in $nonspecific_types are
* allowed some leeway, but anything else must exactly match the real content type.
*/
if ( in_array( $real_mime, $nonspecific_types, true ) ) {
// File is a non-specific binary type. That's ok if it's a type that generally tends to be binary.
if ( ! in_array( substr( $type, 0, strcspn( $type, '/' ) ), array( 'application', 'video', 'audio' ), true ) ) {
$type = false;
$ext = false;
}
} elseif ( str_starts_with( $real_mime, 'video/' ) || str_starts_with( $real_mime, 'audio/' ) ) {
/*
* For these types, only the major type must match the real value.
* This means that common mismatches are forgiven: application/vnd.apple.numbers is often misidentified as application/zip,
* and some media files are commonly named with the wrong extension (.mov instead of .mp4)
*/
if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) {
$type = false;
$ext = false;
}
} elseif ( 'text/plain' === $real_mime ) {
// A few common file types are occasionally detected as text/plain; allow those.
if ( ! in_array(
$type,
array(
'text/plain',
'text/csv',
'application/csv',
'text/richtext',
'text/tsv',
'text/vtt',
),
true
)
) {
$type = false;
$ext = false;
}
} elseif ( 'application/csv' === $real_mime ) {
// Special casing for CSV files.
if ( ! in_array(
$type,
array(
'text/csv',
'text/plain',
'application/csv',
),
true
)
) {
$type = false;
$ext = false;
}
} elseif ( 'text/rtf' === $real_mime ) {
// Special casing for RTF files.
if ( ! in_array(
$type,
array(
'text/rtf',
'text/plain',
'application/rtf',
),
true
)
) {
$type = false;
$ext = false;
}
} else {
if ( $type !== $real_mime ) {
/*
* Everything else including image/* and application/*:
* If the real content type doesn't match the file extension, assume it's dangerous.
*/
$type = false;
$ext = false;
}
}
}
// The mime type must be allowed.
if ( $type ) {
$allowed = get_allowed_mime_types();
if ( ! in_array( $type, $allowed, true ) ) {
$type = false;
$ext = false;
}
}
/**
* Filters the "real" file type of the given file.
*
* @since 3.0.0
* @since 5.1.0 The `$real_mime` parameter was added.
*
* @param array $wp_check_filetype_and_ext {
* Values for the extension, mime type, and corrected filename.
*
* @type string|false $ext File extension, or false if the file doesn't match a mime type.
* @type string|false $type File mime type, or false if the file doesn't match a mime type.
* @type string|false $proper_filename File name with its correct extension, or false if it cannot be determined.
* }
* @param string $file Full path to the file.
* @param string $filename The name of the file (may differ from $file due to
* $file being in a tmp directory).
* @param string[]|null $mimes Array of mime types keyed by their file extension regex, or null if
* none were provided.
* @param string|false $real_mime The actual mime type or false if the type cannot be determined.
*/
return apply_filters( 'wp_check_filetype_and_ext', compact( 'ext', 'type', 'proper_filename' ), $file, $filename, $mimes, $real_mime );
}