media_sideload_image() allows upload of 301-redirected non-images

[anonymized_154007]

When you give media_sideload_image() URLs that are not images, an error is raised.

If for example I do:

media_sideload_image("http://google.com", $post_id, $img_desc);

then I get this error:

Sorry, this file type is not permitted for security reasons.

And this is absolutely normal and expected.

But there is a case when media_sideload_image() do not detect non-images. This case is when the URL given to the function looks like an image but is redirected by Apache to another place.

For example, on my server, this URL:

http://coolcavemen.com/e107_plugins/autogallery/Gallery/default.jpg

redirects to:

http://coolcavemen.com/photos/

Now if in some PHP code I do:

media_sideload_image("http://coolcavemen.com/e107_plugins/autogallery/Gallery/default.jpg", $post_id, $img_desc);

then no error is raised and I end up with the HTML served at http://coolcavemen.com/photos/ being uploaded to my WordPress site as-is:

kevin@kev-laptop$ file ./wp-content/uploads/2011/04/default.jpg
./wp-content/uploads/2011/04/default.jpg: HTML document text

Of course this upload appears broken in the media manager, as you can see in this screenshot: ​http://twitpic.com/4hlyks

[kurtpayne]

I can confirm this still happens with 3.3 beta 4. The problem is that the type is sniffed from the first URL instead of the content-type of the file that was downloaded.

Related #18730.

[kurtpayne]

Attempts to get MIME info and block non-image sideloads. Uses fileinfo extension, falls back to mime_content_type(), gracefully degrades to current behavior if nothing is available.

[ericlewis]

Should this logic go further upstream, to media_handle_sideload()?