fix: remove exe from allowed file upload list

[sapayth]

related PR #1353

This PR removes executable files (.exe) from the list of allowed file types in the file upload field.

WordPress restricts file uploads by default to a whitelist of safe MIME types, such as common images (jpg, png), documents (pdf, doc), audio (mp3), and videos (mp4), blocking others for security reasons.
The "unfiltered_upload" capability allows bypassing these restrictions to upload any file type, but no user role, including Administrator, has this capability by default. As the Administrator is not getting the capability by default, we are also not allowing it from our end.

Summary by CodeRabbit

• Bug Fixes
  • Disabled uploading of executable files (.exe extension) to enhance security and prevent potential malware uploads.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request removes the 'exe' (executable) file extension from allowed file types in two locations: the REST controller's form field sanitization and the main allowed extensions function, reducing the set of recognized file types in the system.

Changes

Cohort / File(s)	Summary
Executable extension removal includes/AI/RestController.php, wpuf-functions.php	Removed 'exe' extension from allowed file extensions array in both sanitize_form_fields() and wpuf_allowed_extensions()

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: file upload field allowed extension #1764: Also modifies handling of allowed file extensions in wpuf-functions.php, normalizing and lowercasing extension checks alongside similar file type constraint updates.

Poem

🐰 No more exe files hopping through our gates,
Security tightens, the bunny appreciates!
Extensions trimmed clean, just keeping the good,
A safer upload system, as it should. 🛡️

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: remove exe from allowed file upload list' accurately and concisely describes the main change: removing the .exe extension from allowed file uploads.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c7ed209 and dc80ee9.

📒 Files selected for processing (2)

• includes/AI/RestController.php
• wpuf-functions.php

💤 Files with no reviewable changes (1)

• wpuf-functions.php

🔇 Additional comments (1)

includes/AI/RestController.php (1)

1681-1681: Review comment is inaccurate regarding the claimed change.

The code at line 1681 does not contain 'exe' in the extensions array, and there is no evidence that 'exe' was ever included in the default allowed extensions (['images', 'audio', 'video', 'pdf', 'office', 'zip', 'csv']). The wpuf_allowed_extensions() function in wpuf-functions.php (lines 531-561) defines the extension categories, and none of them include executable file extensions. The review comment's claim about "removing exe from allowed file types" does not match the actual code state.

Likely an incorrect or invalid review comment.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}