Font Library: add mime type validation for font uploads (#53986)

* add mime type validation for font uploads add version check for font mimes update ttf mime * fix unit tests * adding ttf mime type for PHP 7.3 * adding ttf mime types for PHP 7 * fix constant reference * testing version for php8 * format * add unit tests for woff, woff2 and otf font types * fix unit tests --------- Co-authored-by: Matias Benedetto <matias.benedetto@gmail.com>
WordPress · Sep 19, 2023 · 47f56bc · 47f56bc · github-actions · Sep 19, 2023
1 parent 40436a4
commit 47f56bc
Show file tree

Hide file tree

Showing 9 changed files with 89 additions and 11 deletions.
diff --git a/lib/experimental/fonts/font-library/class-wp-font-family.php b/lib/experimental/fonts/font-library/class-wp-font-family.php
@@ -181,7 +181,8 @@ private function get_upload_overrides( $filename ) {
 			'test_form'                => false,
 			// Seems mime type for files that are not images cannot be tested.
 			// See wp_check_filetype_and_ext().
-			'test_type'                => false,
+			'test_type'                => true,
+			'mimes'                    => WP_Font_Library::ALLOWED_FONT_MIME_TYPES,
 			'unique_filename_callback' => static function () use ( $filename ) {
 				// Keep the original filename.
 				return $filename;
@@ -594,6 +595,7 @@ private function create_or_update_font_post() {
 	 * @return array|WP_Error An array of font family data on success, WP_Error otherwise.
 	 */
 	public function install( $files = null ) {
+		add_filter( 'upload_mimes', array( 'WP_Font_Library', 'set_allowed_mime_types' ) );
 		add_filter( 'upload_dir', array( 'WP_Font_Library', 'set_upload_dir' ) );
 		$were_assets_written = $this->download_or_move_font_faces( $files );
 		remove_filter( 'upload_dir', array( 'WP_Font_Library', 'set_upload_dir' ) );

diff --git a/lib/experimental/fonts/font-library/class-wp-font-library.php b/lib/experimental/fonts/font-library/class-wp-font-library.php
@@ -20,11 +20,13 @@
  */
 class WP_Font_Library {
 
+	const PHP_7_TTF_MIME_TYPE = PHP_VERSION_ID >= 70300 ? 'application/font-sfnt' : 'application/x-font-ttf';
+
 	const ALLOWED_FONT_MIME_TYPES = array(
 		'otf'   => 'font/otf',
-		'ttf'   => 'font/ttf',
-		'woff'  => 'font/woff',
-		'woff2' => 'font/woff2',
+		'ttf'   => PHP_VERSION_ID >= 70400 ? 'font/sfnt' : self::PHP_7_TTF_MIME_TYPE,
+		'woff'  => PHP_VERSION_ID >= 80100 ? 'font/woff' : 'application/font-woff',
+		'woff2' => PHP_VERSION_ID >= 80100 ? 'font/woff2' : 'application/font-woff2',
 	);
 
 	/**
@@ -118,4 +120,16 @@ public static function set_upload_dir( $defaults ) {
 
 		return $defaults;
 	}
+
+	/**
+	 * Sets the allowed mime types for fonts.
+	 *
+	 * @since 6.4.0
+	 *
+	 * @param array $mime_types List of allowed mime types.
+	 * @return array Modified upload directory.
+	 */
+	public static function set_allowed_mime_types( $mime_types ) {
+		return array_merge( $mime_types, self::ALLOWED_FONT_MIME_TYPES );
+	}
 }
diff --git a/phpunit/tests/data/fonts/DMSans.woff2 b/phpunit/tests/data/fonts/DMSans.woff2
diff --git a/phpunit/tests/data/fonts/Merriweather.ttf b/phpunit/tests/data/fonts/Merriweather.ttf
diff --git a/phpunit/tests/data/fonts/cooper-hewitt.woff b/phpunit/tests/data/fonts/cooper-hewitt.woff
diff --git a/phpunit/tests/fonts/font-library/wpFontFamily/base.php b/phpunit/tests/fonts/font-library/wpFontFamily/base.php
@@ -36,7 +36,7 @@ public function set_up() {
 		parent::set_up();
 
 		$merriweather_tmp_name = wp_tempnam( 'Merriweather-' );
-		file_put_contents( $merriweather_tmp_name, 'Mocking file content' );
+		copy( __DIR__ . '/../../../data/fonts/Merriweather.ttf', $merriweather_tmp_name );
 		$this->merriweather = array(
 			'font_data'     => array(
 				'name'       => 'Merriweather',

diff --git a/phpunit/tests/fonts/font-library/wpFontFamily/install.php b/phpunit/tests/fonts/font-library/wpFontFamily/install.php
@@ -161,7 +161,13 @@ public function data_should_download_fontfaces() {
 	public function test_should_move_local_fontfaces( $font_data, array $files_data, array $expected ) {
 		// Set up the temporary files.
 		foreach ( $files_data as $file ) {
-			file_put_contents( $file['tmp_name'], 'Mocking file content' );
+			if ( 'font/ttf' === $file['type'] ) {
+				copy( __DIR__ . '/../../../data/fonts/Merriweather.ttf', $file['tmp_name'] );
+			} elseif ( 'font/woff' === $file['type'] ) {
+				copy( __DIR__ . '/../../../data/fonts/cooper-hewitt.woff', $file['tmp_name'] );
+			} elseif ( 'font/woff2' === $file['type'] ) {
+				copy( __DIR__ . '/../../../data/fonts/DMSans.woff2', $file['tmp_name'] );
+			}
 		}
 
 		$font = new WP_Font_Family( $font_data );
@@ -180,7 +186,8 @@ public function test_should_move_local_fontfaces( $font_data, array $files_data,
 	 */
 	public function data_should_move_local_fontfaces() {
 		return array(
-			'1 local font'  => array(
+			// ttf font type.
+			'1 local font'     => array(
 				'font_data'  => array(
 					'name'       => 'Inter',
 					'slug'       => 'inter',
@@ -205,7 +212,7 @@ public function data_should_move_local_fontfaces() {
 				),
 				'expected'   => array( 'inter_italic_900.ttf' ),
 			),
-			'2 local fonts' => array(
+			'2 local fonts'    => array(
 				'font_data'  => array(
 					'name'       => 'Lato',
 					'slug'       => 'lato',
@@ -243,6 +250,58 @@ public function data_should_move_local_fontfaces() {
 				),
 				'expected'   => array( 'lato_normal_400.ttf', 'lato_normal_500.ttf' ),
 			),
+			// woff font type.
+			'woff local font'  => array(
+				'font_data'  => array(
+					'name'       => 'Cooper Hewitt',
+					'slug'       => 'cooper-hewitt',
+					'fontFamily' => 'Cooper Hewitt',
+					'fontFace'   => array(
+						array(
+							'fontFamily'   => 'Cooper Hewitt',
+							'fontStyle'    => 'italic',
+							'fontWeight'   => '900',
+							'uploadedFile' => 'files0',
+						),
+					),
+				),
+				'files_data' => array(
+					'files0' => array(
+						'name'     => 'cooper-hewitt.woff',
+						'type'     => 'font/woff',
+						'tmp_name' => wp_tempnam( 'Cooper-' ),
+						'error'    => 0,
+						'size'     => 123,
+					),
+				),
+				'expected'   => array( 'cooper-hewitt_italic_900.woff' ),
+			),
+			// woff2 font type.
+			'woff2 local font' => array(
+				'font_data'  => array(
+					'name'       => 'DM Sans',
+					'slug'       => 'dm-sans',
+					'fontFamily' => 'DM Sans',
+					'fontFace'   => array(
+						array(
+							'fontFamily'   => 'DM Sans',
+							'fontStyle'    => 'regular',
+							'fontWeight'   => '500',
+							'uploadedFile' => 'files0',
+						),
+					),
+				),
+				'files_data' => array(
+					'files0' => array(
+						'name'     => 'DMSans.woff2',
+						'type'     => 'font/woff2',
+						'tmp_name' => wp_tempnam( 'DMSans-' ),
+						'error'    => 0,
+						'size'     => 123,
+					),
+				),
+				'expected'   => array( 'dm-sans_regular_500.woff2' ),
+			),
 		);
 	}
 

diff --git a/phpunit/tests/fonts/font-library/wpFontFamily/uninstall.php b/phpunit/tests/fonts/font-library/wpFontFamily/uninstall.php
@@ -72,7 +72,7 @@ public function data_should_return_error_when_not_able_to_uninstall() {
 	public function test_should_uninstall( $font_data, array $files_data ) {
 		// Set up.
 		foreach ( $files_data as $file ) {
-			file_put_contents( $file['tmp_name'], 'Mocking file content' );
+			copy( __DIR__ . '/../../../data/fonts/Merriweather.ttf', $file['tmp_name'] );
 		}
 		$font = new WP_Font_Family( $font_data );
 		$font->install( $files_data );
@@ -103,7 +103,7 @@ public function test_should_uninstall_only_its_font_family( $font_data, array $f
 
 		// Set up the font family to be uninstalled.
 		foreach ( $files_data as $file ) {
-			file_put_contents( $file['tmp_name'], 'Mocking file content' );
+			copy( __DIR__ . '/../../../data/fonts/Merriweather.ttf', $file['tmp_name'] );
 		}
 		$font = new WP_Font_Family( $font_data );
 		$font->install( $files_data );

diff --git a/phpunit/tests/fonts/font-library/wpRestFontLibraryController/installFonts.php b/phpunit/tests/fonts/font-library/wpRestFontLibraryController/installFonts.php
@@ -40,10 +40,13 @@ public function test_install_fonts( $font_families, $files, $expected_response )
 			if ( isset( $installed_font['fontFace'] ) || isset( $expected_font['fontFace'] ) ) {
 				for ( $face_index = 0; $face_index < count( $installed_font['fontFace'] ); $face_index++ ) {
 					// Checks that the font asset were created correctly.
-					$this->assertStringEndsWith( $expected_font['fontFace'][ $face_index ]['src'], $installed_font['fontFace'][ $face_index ]['src'], 'The src of the fonts were not updated as expected.' );
+					if ( isset( $installed_font['fontFace'][ $face_index ]['src'] ) ) {
+						$this->assertStringEndsWith( $expected_font['fontFace'][ $face_index ]['src'], $installed_font['fontFace'][ $face_index ]['src'], 'The src of the fonts were not updated as expected.' );
+					}
 					// Removes the src from the response to compare the rest of the data.
 					unset( $installed_font['fontFace'][ $face_index ]['src'] );
 					unset( $expected_font['fontFace'][ $face_index ]['src'] );
+					unset( $installed_font['fontFace'][ $face_index ]['uploadedFile'] );
 				}
 			}