Validate MIME type against extensions

.gitignore

@@ -2,3 +2,4 @@
 wp-cli.local.yml
 node_modules/
 vendor/
+composer.lock

command.php

@@ -4,6 +4,11 @@
 	return;
 }
 
+$autoload = dirname( __FILE__ ) . '/vendor/autoload.php';
+if ( file_exists( $autoload ) ) {
+	require_once $autoload;
+}
+
 spl_autoload_register( function( $class ) {
 	$class = ltrim( $class, '\\' );
 	if ( 0 !== stripos( $class, 'runcommand\\Doctor\\' ) ) {

composer.json

@@ -17,7 +17,8 @@
         "files": [ "command.php" ]
     },
     "require": {
-        "wp-cli/wp-cli": "*"
+        "wp-cli/wp-cli": "*",
+        "brightnucleus/mime-types": "^0.2.0"
     },
     "require-dev": {
         "behat/behat": "~2.5"

doctor.yml

@@ -38,5 +38,7 @@ theme-update:
   check: Theme_Update
 php-in-upload:
   check: PHP_In_Upload
+validate-mime:
+  check: Validate_Mime
 language-update:
   check: Language_Update

features/check-validate-mime.feature

@@ -0,0 +1,13 @@
+Feature: Detect files having extensions with incorrect MIME-types
+
+Scenario: Detect a .png file with PHP code
+  Given a WP install
+  And a wp-content/uploads/image.png file:
+  """
+  <?php malicious_code();
+  """
+
+  When I run `wp doctor check validate-mime`
+  Then STDOUT should be a table containing rows:
+    | name          | status  | message                                  |
+    | validate-mime | warning | Files detected with different MIME type. |

inc/checks/class-validate-mime.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace runcommand\Doctor\Checks;
+
+use WP_CLI;
+use RecursiveDirectoryIterator;
+use RecursiveIteratorIterator;
+use BrightNucleus\MimeTypes\MimeTypes;
+
+/**
+ * Warns when the extension of a file doesn't match the MIME type.
+ */
+class Validate_Mime extends Check {
+
+	/**
+	 * Array containing list of files found in the uploads folder
+	 *
+	 * @var array
+	 */
+	protected $php_files_array = array();
+
+
+	public function run() {
+
+		// Path to the uploads folder.
+		$wp_content_dir = wp_upload_dir();
+		$directory      = new RecursiveDirectoryIterator( $wp_content_dir['basedir'], RecursiveDirectoryIterator::SKIP_DOTS );
+		$iterator       = new RecursiveIteratorIterator( $directory, RecursiveIteratorIterator::CHILD_FIRST );
+
+		foreach ( $iterator as $file ) {
+			$file_path      = $file->getPathname();
+			$file_extension = $file->getExtension();
+			$file_mime_type = mime_content_type( $file_path );
+
+			if ( 'directory' !== $file_mime_type ) {
+				$mime_types = MimeTypes::getTypesForExtension( $file_extension );
+
+				if ( is_array( $mime_types ) && ! in_array( $file_mime_type, $mime_types ) ) {
+					$this->php_files_array[] = $file;
+				}
+			}
+		}
+
+		if ( ! empty( $this->php_files_array ) ) {
+			$this->set_status( 'warning' );
+			$this->set_message( 'Files detected with different MIME type.' );
+			return;
+		}
+
+		$this->set_status( 'success' );
+		$this->set_message( 'All files have valid MIMEs' );
+	}
+}