Enhance file upload handling by sanitizing accepted file types in admin settings and custom fields. Additionally, sanitize Content-Type in post endpoints to prevent HTTP header injection, ensuring improved security and data integrity.

kodinkat · kodinkat · commit ea7e56c474d4 · 2026-02-26T12:47:28.000Z
diff --git a/dt-core/admin/admin-settings-endpoints.php b/dt-core/admin/admin-settings-endpoints.php
@@ -1299,7 +1299,7 @@ public static function edit_field( WP_REST_Request $request ) {
             if ( isset( $post_fields[$field_key]['type'] ) && $post_fields[$field_key]['type'] === 'file_upload' ) {
                 // Accepted file types
                 if ( isset( $post_submission['visibility']['accepted_file_types'] ) && !empty( $post_submission['visibility']['accepted_file_types'] ) ) {
-                    $types = array_map( 'trim', explode( ',', $post_submission['visibility']['accepted_file_types'] ) );
+                    $types = array_map( 'sanitize_text_field', array_map( 'trim', explode( ',', $post_submission['visibility']['accepted_file_types'] ) ) );
                     $custom_field['accepted_file_types'] = $types;
                 }
 
diff --git a/dt-core/admin/menu/tabs/tab-custom-fields.php b/dt-core/admin/menu/tabs/tab-custom-fields.php
@@ -1070,7 +1070,7 @@ private function process_edit_field( $post_submission ){
             if ( $field['type'] === 'file_upload' ) {
                 // Accepted file types
                 if ( isset( $post_submission['accepted_file_types'] ) && !empty( $post_submission['accepted_file_types'] ) ) {
-                    $types = array_map( 'trim', explode( ',', $post_submission['accepted_file_types'] ) );
+                    $types = array_map( 'sanitize_text_field', array_map( 'trim', explode( ',', $post_submission['accepted_file_types'] ) ) );
                     $custom_field['accepted_file_types'] = $types;
                 }
 
diff --git a/dt-posts/dt-posts-endpoints.php b/dt-posts/dt-posts-endpoints.php
@@ -1504,6 +1504,12 @@ public function storage_download( WP_REST_Request $request ) {
             }
         }
 
+        // Sanitize Content-Type to prevent HTTP header injection (e.g. newlines from S3 or meta).
+        $content_type = sanitize_mime_type( $content_type );
+        if ( $content_type === '' ) {
+            $content_type = 'application/octet-stream';
+        }
+
         // Set headers for file download
         header( 'Content-Type: ' . $content_type );
         header( 'Content-Disposition: attachment; filename="' . esc_attr( $file_name ) . '"' );

Original file line number	Diff line number	Diff line change
`@@ -1299,7 +1299,7 @@ public static function edit_field( WP_REST_Request $request ) {`
`1299`	`1299`	`if ( isset( $post_fields[$field_key]['type'] ) && $post_fields[$field_key]['type'] === 'file_upload' ) {`
`1300`	`1300`	`// Accepted file types`
`1301`	`1301`	`if ( isset( $post_submission['visibility']['accepted_file_types'] ) && !empty( $post_submission['visibility']['accepted_file_types'] ) ) {`
`1302`		`- $types = array_map( 'trim', explode( ',', $post_submission['visibility']['accepted_file_types'] ) );`
	`1302`	`+ $types = array_map( 'sanitize_text_field', array_map( 'trim', explode( ',', $post_submission['visibility']['accepted_file_types'] ) ) );`
`1303`	`1303`	`$custom_field['accepted_file_types'] = $types;`
`1304`	`1304`	`}`
`1305`	`1305`
Original file line number	Diff line number	Diff line change
`@@ -1070,7 +1070,7 @@ private function process_edit_field( $post_submission ){`
`1070`	`1070`	`if ( $field['type'] === 'file_upload' ) {`
`1071`	`1071`	`// Accepted file types`
`1072`	`1072`	`if ( isset( $post_submission['accepted_file_types'] ) && !empty( $post_submission['accepted_file_types'] ) ) {`
`1073`		`- $types = array_map( 'trim', explode( ',', $post_submission['accepted_file_types'] ) );`
	`1073`	`+ $types = array_map( 'sanitize_text_field', array_map( 'trim', explode( ',', $post_submission['accepted_file_types'] ) ) );`
`1074`	`1074`	`$custom_field['accepted_file_types'] = $types;`
`1075`	`1075`	`}`
`1076`	`1076`
Original file line number	Diff line number	Diff line change
`@@ -1504,6 +1504,12 @@ public function storage_download( WP_REST_Request $request ) {`
`1504`	`1504`	`}`
`1505`	`1505`	`}`
`1506`	`1506`
	`1507`	`+ // Sanitize Content-Type to prevent HTTP header injection (e.g. newlines from S3 or meta).`
	`1508`	`+ $content_type = sanitize_mime_type( $content_type );`
	`1509`	`+ if ( $content_type === '' ) {`
	`1510`	`+ $content_type = 'application/octet-stream';`
	`1511`	`+ }`
	`1512`	`+`
`1507`	`1513`	`// Set headers for file download`
`1508`	`1514`	`header( 'Content-Type: ' . $content_type );`
`1509`	`1515`	`header( 'Content-Disposition: attachment; filename="' . esc_attr( $file_name ) . '"' );`