Tumult Hype Wordpress Plugin: Information about Allowlisted files for OAM uploads

Daniel · February 13, 2024, 3:02pm

If you'd like to suggest permanently adding an allowed file extension, please let us know here.

To maintain security for your Wordpress site, we strongly recommend you only share Author or higher logins with people you trust, and don't add server scripts like PHP files to your Hype documents.
For compressed files like zip or rar files, we recommend uploading these directly to your media library and loading these using a full URL if you need to link to them from your library.

Photics · February 16, 2024, 7:24pm

The list looks pretty extensive…

// Define an initial allowed extensions array
$allowlist_tumult_hype_animations = array(
	'images' => array(
		'jpg',
		'jpeg',
		'png',
		'gif',
		'bmp',
		'apng',
		'heic',
		'heif',
		'ico',
		'svg',
		'svgz',
		'tif',
		'tiff',
		'webp',
		'webm',
		'psd',
		'htc', // for ie compatibility
		'pie', // for ie compatibility
	),
	'audio' => array(
		'mp3',
		'wav',
		'aif',
		'ogg',
		'aac',
		'mid',
		'midi',
		'oga',
		'opus',
		'weba',
		'flac',
		'aiff',
	),
	'video' => array(
		'mp4',
		'avi',
		'mov',
		'3g2',
		'3gp',
		'ogv',
		'mpg',
		'm4a',
		'm4v',
		'm4p',
		'mpeg',
		'hevc',
		'm3u8',
		'mpkg',
		'mkv',
		'wmv',
		'flv',
		'wma',
	),
	'fonts' => array(
		'ttf',
		'otf',
		'woff',
		'woff2',
		'eot',
		'ttc',
	),
	'documents' => array(
		'doc',
		'docx',
		'pdf',
		'txt',
		'rtf',
		'rtx',
		'csv',
		'srt',
		'vtt',
		'xls',
		'xlsx',
		'ods',
		'odt',
		'ppt',
		'pptx',
		'epub',
		'odp',
		'key',
		'xhtml',
		'usdz',
	),
	'scripts' => array(
		'js',
		'map', // source map
		'mjs',
		'json',
		'jsonld',
	),
	'stylesheets' => array(
		'css',
		'sass',
		'scss',
		'less',
		'stylus',
	),
	'other' => array(
		'html',
		'htm',
		'plist', // recoverable Tumult Hype plist file
		'xml',
		'yaml',
		'ics',
		'vsd',
		'pps',
		'ppsx',
	),
);

I was wondering if “svg” would be considered a safe file. That might be considered a problem because it could include JavaScript… but since this is Hype land, “js” is already there.

I was thinking usdz, but that's in the “documents”.

Here are just some ideas for discussion…

Apple extensions… .numbers, .pages, .key
.htaccess… usage seems unlikely and might actually be a security risk
swf… ha ha, since IE related files are there already

I don't really need those. It's just for discussion.

Also, here's a nice page about a list of web extensions… Common MIME types - HTTP | MDN …but it looks like you got the good ones already.

Daniel · February 17, 2024, 12:21pm

I'm missing a lot of 3D formats, but I haven't seen those used much in Wordpress. Willing to entertain more file types as long as they can't be used to do sneaky stuff . I feel like .htaccess files can be very malicious (for redirects).

For SVGS, this post had some interesting info about SVGs + security in Wordpress: Enable SVG Support in WordPress. The best in class 'cleaner' for SVGs seems to be: GitHub - darylldoyle/svg-sanitizer: A PHP SVG/XML Sanitizer but I'm not sure it's the right move to integrate that here.