Another article on a new feature in the soon to be released 2.3 version. This time we'll be talking about something new called Unfiltered upload.

Let's take the following scenario: We wan't to write an article about something (we'll use geocaching in this example) and want to suplement that post with a file (gpx in this case) that your users can download and use.
Our first step would be to go to the Write Post screen, start typing and upload that file using the build-in uploader:

Upload file

In the 2.2.x version (and earlier) when we press Upload we get the following result:

Upload file failed

Due to security reasons we're only allowed to upload a pre-defined list of file types. And that's a Good thing ™. You wouldn't want a Contributer for instance to be able to upload a PHP file and take over your blog, or worse, your machine. Looking at the 2.3 sources shows us that the following types of files are allowed:

$mimes = is_array($mimes) ? $mimes : apply_filters('upload_mimes', array (
	'jpg|jpeg|jpe' => 'image/jpeg',
	'gif' => 'image/gif',
	'png' => 'image/png',
	'bmp' => 'image/bmp',
	'tif|tiff' => 'image/tiff',
	'ico' => 'image/x-icon',
	'asf|asx|wax|wmv|wmx' => 'video/asf',
	'avi' => 'video/avi',
	'mov|qt' => 'video/quicktime',
	'mpeg|mpg|mpe' => 'video/mpeg',
	'txt|c|cc|h' => 'text/plain',
	'rtx' => 'text/richtext',
	'css' => 'text/css',
	'htm|html' => 'text/html',
	'mp3|mp4' => 'audio/mpeg',
	'ra|ram' => 'audio/x-realaudio',
	'wav' => 'audio/wav',
	'ogg' => 'audio/ogg',
	'mid|midi' => 'audio/midi',
	'wma' => 'audio/wma',
	'rtf' => 'application/rtf',
	'js' => 'application/javascript',
	'pdf' => 'application/pdf',
	'doc' => 'application/msword',
	'pot|pps|ppt' => 'application/vnd.ms-powerpoint',
	'wri' => 'application/vnd.ms-write',
	'xla|xls|xlt|xlw' => 'application/vnd.ms-excel',
	'mdb' => 'application/vnd.ms-access',
	'mpp' => 'application/vnd.ms-project',
	'swf' => 'application/x-shockwave-flash',
	'class' => 'application/java',
	'tar' => 'application/x-tar',
	'zip' => 'application/zip',
	'gz|gzip' => 'application/x-gzip',
	'exe' => 'application/x-msdownload',
	// openoffice formats
	'odt' => 'application/vnd.oasis.opendocument.text',
	'odp' => 'application/vnd.oasis.opendocument.presentation',
	'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
	'odg' => 'application/vnd.oasis.opendocument.graphics',
	'odc' => 'application/vnd.oasis.opendocument.chart',
	'odb' => 'application/vnd.oasis.opendocument.database',
	'odf' => 'application/vnd.oasis.opendocument.formula',

But I do want to attach that gpx file to that post. I know it's safe. So how can I do this? That's where unfiltered uploads come into play. Version 2.3 introduces a new capability which let's you upload any type of file you want. But for security reasons that capability is by default only given to users in the Administrators role. So if I try the previous as an Administrator in 2.3 I get the following screen:

Upload file succeeded

That's in short what the new unfiltered_upload capability does.

Please note that if you use a certain filetype often, but don't want to give the unfiltered_upload capability to somebody, try the WordPress mime-config plugin. It allows you to extend the default list of allowed file types.