[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types

WordPress Trac noreply at wordpress.org
Sat Feb 27 21:18:00 UTC 2016


#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+------------------------------
 Reporter:  JustinSainton  |       Owner:
     Type:  enhancement    |      Status:  reopened
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Upload         |     Version:
 Severity:  normal         |  Resolution:
 Keywords:  early          |     Focuses:
---------------------------+------------------------------

Comment (by chriscct7):

 Replying to [comment:54 LewisCowles]:
 > I tested this morning; WP does not protect against me uploading a text-
 file renamed to .png, so there is probably very little to stop me
 uploading a malicious payload in any format.

 That's not comparable to sanitized SVG upload. A PNG file, on render or
 access, does not run scripts. An sanitized SVG can contain JavaScript or
 trigger remotely run code. There's quite a few different ways SVG files
 can cause malicious output. A good overview of some these issues is:
 https://www.blackhat.com/docs/us-14/materials/us-14-DeGraaf-SVG-
 Exploiting-Browsers-Without-Image-Parsing-Bugs.pdf

 However, as those slides were presented 2 years ago, several new attack
 vectors found over the last 2 years are omitted, as well as possibilities
 arising from the new SVG 2.0 spec.

 > so there is probably very little to stop me uploading a malicious
 payload in any format

 This would be a security bug. If you find or know a way to do this, please
 email security@ wordpress.org so it can be fixed.

 > IT took virtually no time at all to build the PoC WP plugin to allow
 uploads of SVG. Then WP released an update and the plugin had to be
 modified.

 The plugin didn't fully sanitize SVGs at the time it was uploaded. Whether
 the plugin runs now or not as the result of a WordPress update is
 irrelevant. Moreover, the new SVG 2.0 also adds more places for JS to be
 placed in an SVG file that the plugin doesn't account for.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:57>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list