File Type Is Not Permitted - Cronjob

I am currently developing a cron job that downloads a xml file from an external source and stores it within wordpress media. For debugging proposals, I have installed the plugin Advanced Cron Manager, which allows me to run cron jobs manually.

The manual execution of the cronjob works fine, without any problems. When the cronjob is executed by its schedule, I am facing: Sorry, This File Type Is Not Permitted for Security Reasons.

Within my cron function, I have configured:

/** Allow all filetypes to be uploaded */
define('ALLOW_UNFILTERED_UPLOADS', true);

Since this did not work, I also tried adding ALLOW_UNFILTERED_UPLOADS within my wp-config.php, which ended up in the same result. Also adding it to ALLOW_UNFILTERED_UPLOADS to wp-cron.php did not help.

During the execution, I also see the following notice:

[24-Nov-2021 08:54:14 UTC] PHP Notice Constant ALLOW_UNFILTERED_UPLOADS already defined in /var/www/virtual/wpwwwdev/html/wp-content/plugins/phantoms-wp/includes/cron.php on line 16

So the const is definitely set. Is there something else I have to set for the cron call?

The error is thrown by:

$file = [
    'uri' = 'https://vereine.football-verband.de/xmlspielplan.php5?Ausgabe=xml',
    'description' = date('d.m.Y', time()) . ' - XML Spielplan',
    'name' = 'xmlspielplan.xml',
    'type' = 'xml',
    'tmp_name' = download_url('https://vereine.football-verband.de/xmlspielplan.php5?Ausgabe=xml')
];

media_handle_sideload( $file, 0, $file['description'] );

Best regards, Sebastian

Topic curl cron media security Wordpress

Category Web

1
answered at

Defining ALLOW_UNFILTERED_UPLOADS isn't enough anymore: it doesn't grant the capability, it just permits non-admin users who have the unfiltered_uploads capability to upload any file (except on a multisite). You also need to grant yourself the capability, e.g. from Sebastian's answer here

#
# For this, see: wp-includes/capabilities.php > map_meta_cap()
#
function wpse_6533_map_unrestricted_upload_filter($caps, $cap) {
  if ($cap == 'unfiltered_upload') {
    $caps = array();
    $caps[] = $cap;
  }

  return $caps;
}

add_filter('map_meta_cap', 'wpse_6533_map_unrestricted_upload_filter', 0, 2);

However it's probably simpler to just enable the XML filetype for your cron job, e.g.

function mime_types_add_xml( $mime_types ) {
    // PHP's fileinfo returns text/xml not application/xml
    $mime_types[ 'xml' ] = 'text/xml';
    return $mime_types;
}
if ( defined( 'DOING_CRON' ) {
    add_filter( 'mime_types', 'mime_types_add_xml' );
}

This however will only work if your XML files have document declarations e.g.

<?xml version="1.0" encoding="utf-8"?>

WordPress uses PHP fileinfo to detect whether the file matches the extension you gave it, and that only generates text/xml for me with the declaration. (Else it'll return text/plain, then reject the file since that doesn't match the expected text/xml for the .xml extension.) This check can be fixed with a wp_check_filetype_and_ext filter if necessary.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.