Let’s assume that an user has just uploaded an image. How do we make sure that the image doesn’t contain hidden PHP code that will run once the image is on the server? The most common (and, for practical purposes, the only one) attack pattern is to include some PHP code in your .jpg file(s) and upload them. Let’s assume this is a POST REST endpoint, call it upload_image, we’re trying to simply ping it, by providing the image. For simplicity’s sake, let’s assume that our image is base64 encoded.

The system will decode it, see that it’s a .jpg and try to run media_handle_sideload. All we’re doing is uploading a file on the server. No checks.

I have searched far and wide for a WP-based solution, both on Google and on Github, and it seems there’s none, or no consensus on how to do it. Looking at async-upload.php and media.php, it doesn’t seem that they do any checks at all. It is assumed that, if an user can upload images, he’s to be trusted. I can’t see any parsing/checking.

What should I do?