_path ); return $unique_dir_path; } /** * Register Ajax Actions * * Runs on the 'elementor/ajax/register_actions' hook. Receives the AJAX module as a parameter and registers * callbacks for specified action IDs. * * @since 3.5.0 * @access public * * @param Ajax $ajax */ public function register_ajax_actions( Ajax $ajax ) { $ajax->register_ajax_action( 'enable_unfiltered_files_upload', [ $this, 'enable_unfiltered_files_upload' ] ); } /** * Set Unfiltered Files Upload * * @since 3.5.0 * @access public */ public function enable_unfiltered_files_upload() { if ( ! current_user_can( 'manage_options' ) ) { return; } update_option( self::UNFILTERED_FILE_UPLOADS_KEY, 1 ); } /** * Support Unfiltered File Uploads * * When uploading a file within Elementor, this method adds the registered * file types to WordPress' allowed mimes list. This will only happen if the user allowed unfiltered file uploads * in Elementor's settings in the admin dashboard. * * @since 3.5.0 * @access public * * @param array $allowed_mimes * @return array allowed mime types */ final public function support_unfiltered_elementor_file_uploads( $allowed_mimes ) { if ( $this->is_elementor_upload() && $this->are_unfiltered_uploads_enabled() ) { foreach ( $this->file_type_handlers as $file_type_handler ) { $allowed_mimes[ $file_type_handler->get_file_extension() ] = $file_type_handler->get_mime_type(); } } return $allowed_mimes; } /** * Set Elementor Upload State * * @since 3.5.0 * @access public * * @param $state */ public function set_elementor_upload_state( $state ) { $this->is_elementor_upload = $state; } /** * Is Elementor Upload * * This method checks if the current session includes a request to upload files made via Elementor. * * @since 3.5.0 * @access private * * @return bool */ private function is_elementor_upload() { return $this->is_elementor_upload || $this->is_elementor_media_upload() || $this->is_elementor_wp_media_upload(); } /** * Is Elementor Media Upload * * Checks whether the current request includes uploading files via Elementor which are not destined for the Media * Library. * * @since 3.5.0 * @access private * * @return bool */ private function is_elementor_media_upload() { // Sometimes `uploadTypeCaller` passed as a GET parameter when using the WP Media Library REST API, where the // whole request body is occupied by the uploaded file. return isset( $_REQUEST['uploadTypeCaller'] ) && 'elementor-media-upload' === $_REQUEST['uploadTypeCaller']; // phpcs:ignore } /** * Is Elementor WP Media Upload * * Checks whether the current request is a request to upload files into the WP Media Library via Elementor. * * @since 3.3.0 * @access private * * @return bool */ private function is_elementor_wp_media_upload() { return isset( $_REQUEST['uploadTypeCaller'] ) && 'elementor-wp-media-upload' === $_REQUEST['uploadTypeCaller']; // phpcs:ignore } /** * Add File Extension To Allowed Extensions List * * @since 3.3.0 * @access private * * @param string $file_type */ private function add_file_extension_to_allowed_extensions_list( $file_type ) { $file_handler = $this->file_type_handlers[ $file_type ]; $file_extension = $file_handler->get_file_extension(); // Only add the file extension to the list if it doesn't already exist in it. if ( ! in_array( $file_extension, $this->allowed_file_extensions, true ) ) { $this->allowed_file_extensions[] = $file_extension; } } /** * Save Base64 as File * * Saves a Base64 string as a .tmp file in Elementor's temporary files directory. * * @since 3.3.0 * @access private * * @param $file * @return array|\WP_Error */ private function save_base64_to_tmp_file( $file ) { $file_content = base64_decode( $file['fileData'] ); // phpcs:ignore // If the decode fails if ( ! $file_content ) { return new \WP_Error( 'file_error', self::INVALID_FILE_CONTENT ); } $temp_filename = $this->create_temp_file( $file_content, $file['fileName'] ); if ( is_wp_error( $temp_filename ) ) { return $temp_filename; } return [ // the original uploaded file name 'name' => $file['fileName'], // The path to the temporary file 'tmp_name' => $temp_filename, ]; } /** * Validate File * * @since 3.3.0 * @access private * * @param array $file * @param array $file_extensions Optional * @return bool|\WP_Error */ private function validate_file( array $file, $file_extensions = [] ) { $uploaded_file_name = isset( $file['name'] ) ? $file['name'] : $file['tmp_name']; $file_extension = pathinfo( $uploaded_file_name, PATHINFO_EXTENSION ); if ( ! $this->is_elementor_wp_media_upload() ) { $is_file_type_allowed = $this->is_file_type_allowed( $file_extension, $file_extensions ); if ( is_wp_error( $is_file_type_allowed ) ) { return $is_file_type_allowed; } } $file_type_handler = $this->get_file_type_handlers( $file_extension ); // If Elementor does not have a handler for this file type, don't block it. if ( ! $file_type_handler ) { return true; } // If there is a File Type Handler for the uploaded file, it means it is a non-standard file type. In this case, // we check if unfiltered file uploads are enabled or not before allowing it. if ( ! self::are_unfiltered_uploads_enabled() ) { return new \WP_Error( Exceptions::FORBIDDEN, esc_html__( 'This file is not allowed for security reasons.', 'elementor' ) ); } // Here is each file type handler's chance to run its own specific validations return $file_type_handler->validate_file( $file ); } /** * Is File Type Allowed * * Checks whether the passed file extension is allowed for upload. * * @since 3.5.0 * @access private * * @param $file_extension * @param $filtered_file_extensions * @return bool|\WP_Error */ private function is_file_type_allowed( $file_extension, $filtered_file_extensions ) { $allowed_file_extensions = $this->get_allowed_file_extensions(); if ( $filtered_file_extensions ) { $allowed_file_extensions = array_intersect( $allowed_file_extensions, $filtered_file_extensions ); } $is_allowed = false; // Check if the file type (extension) is in the allowed extensions list. If it is a non-standard file type (not // enabled by default in WordPress) and unfiltered file uploads are not enabled, it will not be in the allowed // file extensions list. foreach ( $allowed_file_extensions as $allowed_extension ) { if ( preg_match( '/' . $allowed_extension . '/', $file_extension ) ) { $is_allowed = true; break; } } if ( ! $is_allowed ) { $is_allowed = new \WP_Error( Exceptions::FORBIDDEN, 'Uploading this file type is not allowed.' ); } return $is_allowed; } /** * Remove Directory with Files * * @since 3.3.0 * @access private * * @param string $dir * @return bool */ private function remove_directory_with_files( $dir ) { $dir_iterator = new \RecursiveDirectoryIterator( $dir, \RecursiveDirectoryIterator::SKIP_DOTS ); foreach ( new \RecursiveIteratorIterator( $dir_iterator, \RecursiveIteratorIterator::CHILD_FIRST ) as $name => $item ) { if ( is_dir( $name ) ) { rmdir( $name ); } else { unlink( $name ); } } return rmdir( $dir ); } /** * Get Allowed File Extensions * * Retrieve an array containing the list of file extensions allowed for upload. * * @since 3.3.0 * @access private * * @return array file extension/s */ private function get_allowed_file_extensions() { if ( ! $this->allowed_file_extensions ) { $this->allowed_file_extensions = array_keys( get_allowed_mime_types() ); foreach ( $this->get_file_type_handlers() as $file_type => $handler ) { if ( $handler->is_upload_allowed() ) { // Add the file extension to the allowed extensions list only if unfiltered files upload is enabled. $this->add_file_extension_to_allowed_extensions_list( $file_type ); } } } return $this->allowed_file_extensions; } public function __construct() { $this->register_file_types(); add_filter( 'upload_mimes', [ $this, 'support_unfiltered_elementor_file_uploads' ] ); add_filter( 'wp_handle_upload_prefilter', [ $this, 'handle_elementor_wp_media_upload' ] ); add_filter( 'wp_check_filetype_and_ext', [ $this, 'check_filetype_and_ext' ], 10, 4 ); // Ajax. add_action( 'elementor/ajax/register_actions', [ $this, 'register_ajax_actions' ] ); } }