I’m writing a plugin that modifies the default behavior when uploading a file for a post or to the media library. I’m setting $overrides in wp_handle_upload() with a custom $unique_filename_callback.
Once I added that, it tripped the following check inside wp_handle_upload(), because $_POST[‘action’] wasn’t set. (I’m not sure why it wasn’t, but it wasn’t).
if ( $test_form && (!isset( $_POST['action'] ) || ($_POST['action'] != $action ) ) )
return call_user_func($upload_error_handler, $file, __( 'Invalid form submission.' ));
So, I set $overrides[‘test_form’] = false, and now it’s working. I’m wondering if that could be a potential security issue, though. Would that allow someone to post a form from a remote source or something?
It seems like it’s normal to disable it when you’re creating your own upload fields, but I’m using the built-in post upload form, so I want to make sure.
I wouldn’t say security concern – since you’re using this plugin within the admin (I presume after the user has been authenticated i.e. after
admin_init), then already you’ve got protection against any Jon Doe posting a form to your script.What it does provide, is an additional layer of authentication. All it really boils down to is sending a ‘secret’ along with the form, and then checking for it’s existence (and that it matches) before continuing.
For an attacker, they’d need to know this secret in order to breach, for example, using CSRF or XSS.
This is the very nature of how WordPress nonces work. In fact you’d be a lot better off using these instead of test_form. They go one step better in that they’re secrets that expire, so the window for an attacker is made even smaller.
Check out Jaquith’s article on Nonces.