WordPress 4.9.9 as well as 5.0.1 and ALL the “security patch releases” back to 3.7 now have a new CSV file management bug.   Any CSV file that is uploaded is rejected by WordPress due to a security violation.   

The Quick Fix

Add this to your wp-config.php file:

define(‘ALLOW_UNFILTERED_UPLOADS’, true);

Yes, this will effectively disable all those cool new “security features” in the latest release of WordPress but it also will get your CSV imports working again.   Just remember to take this out when WordPress 4.9.10 (or 5.0.2) comes out — assuming they deem this new “security feature” a bug and patch it accordingly.

Why Is This Happening?

This is because WordPress is throwing out this plain text file for having a native file type not match the approved MIME type.

Somehow, WordPress suddenly decided that a plain text file — which has NO VIABLE METADATA in the header can be identified solely by the mime type header passed in to it from environment variables.   It is not checking that the file is actually a text file and a valid CSV format.  Instead it is relying on indeterminate meta data passed in by proxy from other services.

And it makes the wrong decisions — that the file is a ROGUE format and thus a security threat.

PHP and Fileinfo

Theory is that the problem is related to the PHP fileinfo module being active.    A module that is active on MOST servers running newer versions of PHP.    When that module is running PHP will set the file Mime Type to text/plain — which is technically correct since a proper CSV file is in reality nothing more than a plain text file.     

Unfortunately WordPress expects, and in the latest release now DEMANDS the mime type that PHP sends to it comes in as “text/csv” if the file extension is CSV.

It Impacts ALL CSV Importers

This bug — which it has now become clear is a bug regardless of the current “it is a security feature” stance over at WP HQ — does not just import WordPress Store Locator Plus® users.    It is killing a lot of WooCommerce users trying to import stuff on that plugin as well.    And hundreds of other plugins and themes that have any kind of CSV import feature.

SLP Power Add On Patch

Our Power 5.0.1 release is in testing and has a code workaround that patches the invalid mime type info sent in for ALL mime types that have been mangled.   This patch will fix the CSV import for not only the Power add on but for all other themes and plugins running the Power 5.0.1 add on.

Premier users can request the Power 5.0.1 prerelease today.

It uses the same methodology as the Disable Real Mime Check plugin that has been put into “emergency service” despite not being updated in years.

3 comments

  1. My host company said they got this message: Google JavaScript API geocoder failed with status REQUEST_DENIED results 0.
    Are you sure you can’t provide any other fix besides reducing security?

Leave a Reply