[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types

WordPress Trac noreply at wordpress.org
Wed Jun 3 02:05:16 UTC 2015

#24251: Reconsider SVG inclusion to get_allowed_mime_types
 Reporter:  JustinSainton  |       Owner:
     Type:  enhancement    |      Status:  closed
 Priority:  normal         |   Milestone:
Component:  Upload         |     Version:
 Severity:  normal         |  Resolution:  wontfix
 Keywords:                 |     Focuses:
Changes (by chriscct7):

 * keywords:  dev-feedback needs-patch =>
 * status:  new => closed
 * resolution:   => wontfix
 * severity:  minor => normal
 * milestone:  Awaiting Review =>


 Replying to [comment:26 LewisCowles]:
 > Oh one other thing @iandunn, the core not only allows download and
 upload of PHP scripts (although not to the media gallery), but editing of
 plugins and themes, despite it being a horrible security risk, and
 encouraging poor habits!

 The massive difference between plugins and theme upload, and image upload,
 is permissions. While yes, you can upload a plugin which contains insecure
 PHP, users can only do that with very specific, high level permissions,
 which by default are not granted to new users, only to people who are
 managing the site. Editing a plugin/theme isn't a security risk, as its
 restricted to just users who have administrator or above permissions. And
 if you want to turn that off, WordPress provides many ways to do that
 (constants, removing permissions from roles, removing ability to view page
 without a custom capability, etc)

 However, the media manager is used by those who can add content to the
 site (like authors), who might not have the ability to upload plugins (the
 author or contributor role).

 SVG file security isn't some obscure bug. There's multiple, well known SVG
 vulnerabilities. It isn't a theory, an obscurity, or an unknown. There are
 well over 8,000 logged CVE's that have to do with all sorts of fun and
 obscure SVG file security vulnerabilities.

 The things that SVGs let you do may be a feature and are there by design,
 but that doesn't make them any less of a security risk. SVGs are
 inherently dangerous by design. As a CMS or as an application layer,
 WordPress's job is to ensure a level of security on a site. SVGs are
 simply too dangerous to allow. That being said, if you'd like to try to
 mitigate all of the security issues from SVGs and allow them to be
 uploaded on your site, you're more than welcome to try and write and
 release a plugin to do so. WordPress has filters on the allowed mime types
 that you can utilize to do this.

 Replying to [comment:25 LewisCowles]:
 > and as I understand it from the W3C, could affect many taggable file
 formats accepting script tags, or javascript, and data uri's, css files
 linking SVG from external resources could be a bigger risk (so HTML,
 xhtml, CSS and ironically JS, are also potential candidates for such
 hacks, and they are not banned).

 And that's a terrible example, as you cannot upload HTML, Javascript or
 CSS files from the media manager. Nor can you edit themes or plugins
 without having administrator level access to the site.

 Replying to [comment:22 LewisCowles]:
 > Bugs are softwae behaving in a way that is not expected. When I try to
 upload an SVG file, I expect it to upload. If it is invalid it is
 unreasonable of the author or distributor to think this is a WordPress
 issue. If I type script tags int an SVG and WordPress removes them without
 me asking it to, it is therefore unexpected and a bug!

 And when I turn on my computer, I expect my toaster to walk over to my
 bread and instantly (an automatically) make me toast. Since it does not do
 that, that's a software bug in my toaster.

 A software bug is where the software does something that which is
 unintended of it's design. It has nothing to do with user expectations.
 Just because, as a user, I expect a car should fly over buildings to get
 me from A to B faster, it doesn't mean that the onboard navigation
 software will do that, or be designed to do that. I might really really
 want it to do that (I do) and I might really hate that it doesn't do that
 (I do) but that doesn't make it a software bug. The software does exactly
 what it is intended to do, which is navigation.

 WordPress allows certain files types to be uploaded via the media manager,
 and does not allow any files to be uploaded that aren't of those types.
 Blocking the upload of files that are not allowed is not a bug, it is the
 design of the software, and contrary to what users may or may not think,
 it is doing exactly what it is designed to due (and therefore by
 definition not a bug).

 WordPress needs to be secure, by default, for all users. SVG uploads via
 the media manager will not be permitted in core in their current document
 declaration iteration.

 Tagging as wontfix, for the same reasons nacin pointed out 2 years ago,
 and will probably be true for many more years.

Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list