[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
noreply at wordpress.org
Wed Jun 3 02:05:16 UTC 2015
#24251: Reconsider SVG inclusion to get_allowed_mime_types
Reporter: JustinSainton | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Upload | Version:
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
Changes (by chriscct7):
* keywords: dev-feedback needs-patch =>
* status: new => closed
* resolution: => wontfix
* severity: minor => normal
* milestone: Awaiting Review =>
Replying to [comment:26 LewisCowles]:
> Oh one other thing @iandunn, the core not only allows download and
upload of PHP scripts (although not to the media gallery), but editing of
plugins and themes, despite it being a horrible security risk, and
encouraging poor habits!
The massive difference between plugins and theme upload, and image upload,
is permissions. While yes, you can upload a plugin which contains insecure
PHP, users can only do that with very specific, high level permissions,
which by default are not granted to new users, only to people who are
managing the site. Editing a plugin/theme isn't a security risk, as its
restricted to just users who have administrator or above permissions. And
if you want to turn that off, WordPress provides many ways to do that
(constants, removing permissions from roles, removing ability to view page
without a custom capability, etc)
However, the media manager is used by those who can add content to the
site (like authors), who might not have the ability to upload plugins (the
author or contributor role).
SVG file security isn't some obscure bug. There's multiple, well known SVG
vulnerabilities. It isn't a theory, an obscurity, or an unknown. There are
well over 8,000 logged CVE's that have to do with all sorts of fun and
obscure SVG file security vulnerabilities.
The things that SVGs let you do may be a feature and are there by design,
but that doesn't make them any less of a security risk. SVGs are
inherently dangerous by design. As a CMS or as an application layer,
WordPress's job is to ensure a level of security on a site. SVGs are
simply too dangerous to allow. That being said, if you'd like to try to
mitigate all of the security issues from SVGs and allow them to be
uploaded on your site, you're more than welcome to try and write and
release a plugin to do so. WordPress has filters on the allowed mime types
that you can utilize to do this.
Replying to [comment:25 LewisCowles]:
> and as I understand it from the W3C, could affect many taggable file
linking SVG from external resources could be a bigger risk (so HTML,
xhtml, CSS and ironically JS, are also potential candidates for such
hacks, and they are not banned).
CSS files from the media manager. Nor can you edit themes or plugins
without having administrator level access to the site.
Replying to [comment:22 LewisCowles]:
> Bugs are softwae behaving in a way that is not expected. When I try to
upload an SVG file, I expect it to upload. If it is invalid it is
unreasonable of the author or distributor to think this is a WordPress
issue. If I type script tags int an SVG and WordPress removes them without
me asking it to, it is therefore unexpected and a bug!
And when I turn on my computer, I expect my toaster to walk over to my
bread and instantly (an automatically) make me toast. Since it does not do
that, that's a software bug in my toaster.
A software bug is where the software does something that which is
unintended of it's design. It has nothing to do with user expectations.
Just because, as a user, I expect a car should fly over buildings to get
me from A to B faster, it doesn't mean that the onboard navigation
software will do that, or be designed to do that. I might really really
want it to do that (I do) and I might really hate that it doesn't do that
(I do) but that doesn't make it a software bug. The software does exactly
what it is intended to do, which is navigation.
WordPress allows certain files types to be uploaded via the media manager,
and does not allow any files to be uploaded that aren't of those types.
Blocking the upload of files that are not allowed is not a bug, it is the
design of the software, and contrary to what users may or may not think,
it is doing exactly what it is designed to due (and therefore by
definition not a bug).
WordPress needs to be secure, by default, for all users. SVG uploads via
the media manager will not be permitted in core in their current document
Tagging as wontfix, for the same reasons nacin pointed out 2 years ago,
and will probably be true for many more years.
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac