WordPress File Upload plugin introduced Quarantine feature in version 4.25.0.

This feature enables certain categories of uploaded files, that should normally be rejected by the plugin, to be added in quarantine.

Quarantine is a special folder, not publicly accessible, where these files are stored temporarily, so that a website administrator can review them and decide whether to keep them or not. Accepted files are finally stored to their intended location, while rejected files are deleted.

The new feature allows administrators to create upload exceptions, meaning rules that instruct the plugin to automatically accept uploaded files that should normally be rejected.

The plugin quarantines an uploaded file when it cannot validate its MIME type.

The quarantined files are kept in the quarantine folder for thirty (30) days by default. After that they are automatically deleted by the plugin.

Activation

Quarantine feature is by default deactivated, so it needs to be activated. To do this go to Dashboard / Settings / WordPress File Upload / Settings, in Quarantine Settings and check Quarantine Active option.

When activated a new tab appears in the Dashboard area of the plugin, Quarantine. In this tab admins can review and manage files that have been quarantined.

Quarantine Folder

When an uploaded file is quarantined, it is temporarily stored in a special quarantine folder, not publicly accessible.

When Quarantine feature is activated the plugin automatically creates this folder under /wp-content directory and sets its permissions to 0750 (octal), so that it is not accessible to the public.

The default name of the quarantine folder is /wfu-quarantine, but it can be modified from the plugin’s Settings as shown below from Quarantine Folder option.

If quarantine folder name is modified, the plugin will automatically create the new one and set its permissions accordingly.

Adding Uploaded Files to Quarantine

The plugin performs MIME type validation when a file is uploaded. A MIME type indicates the nature and format of a file.

During the validation, the MIME type needs to match with the extension of the file. For example, the MIME type of an image file with .png extension must be image/png.

The plugin keeps a standard list of mappings between extensions and MIME types. If an uploaded file’s MIME type and extension combination is not in this list, then the file is considered to be suspicious and it is rejected, showing the following message to the user:

When Quarantine is activated, the plugin will not reject the file, but it will add it in the quarantine. In this case the message shown to the user is the following:

Website administrators can view all the files that have been added in quarantine from Quarantine tab in Dashboard area of the plugin, as described below.

Quarantined Files

When uploaded files are added in plugin’s quarantine, they can be reviewed by the website administrators from Quarantine tab in Dashboard area of the plugin.

The table provides basic information for each quarantined file, such as the intended upload path, its size, when it was uploaded and the quarantine reason.

Admins can review the files and accept or reject any of them using the action buttons.

Quarantined File Rejection

An admin can reject a quarantined file by pressing the rejection button .

A dialog shows up asking the user to confirm the rejection.

Upon confirmation the file is permanently deleted.

Quarantined File Acceptance

An admin can accept a quarantined file by pressing the accept button .

When it is pressed, a new page shows up where the admin is prompted to confirm acceptance of the quarantined file.

Furthermore, the admin is asked whether they want to add an upload exception, so that all files having the same MIME type issue and extension are automatically accepted from now on, without the need to be added in quarantine.

If Add Upload Exception is selected, the plugin will check whether there are any other quarantined files affected by the exception and will show them to the admin:

In the above example, if the admin presses Accept and Add Exception button, file sample.txt2 together with files sample2.txt2 and sample3.txt2 will be accepted.

The plugin will also add an upload exception so that all subsequent uploaded files with .txt2 extension and a MIME type of text/plain are also automatically accepted.

When a quarantined file is accepted it is stored in its intended final location, any related post-upload actions are executed, depending on the configuration of the upload form shortcode from where it was uploaded, and it is included in the plugin’s file viewers.

Upload Exceptions

Upload exceptions are rules that instruct the plugin to automatically accept uploaded files that match certain criteria.

They can be created when accepting quarantined files, as described above.

Admins can review and manage the upload exceptions from Exceptions tab in Dashboard area of the plugin.

The table provides basic information for each upload exception, such as its category, the file extension it applies to, encoded details and a description of what files are accepted because of it.

Admins can remove an exception by pressing the trash icon in Actions column.

Maintenance

The plugin automatically removes quarantined files that are older than thirty (30) days.

An admin can change the life of quarantined files by editing the Quarantined Files Life advanced option from Advanced tab in Dashboard area of the plugin.

Quarantine of WordPress File Upload Plugin

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.