[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Sat Feb 27 21:18:00 UTC 2016
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+------------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: early | Focuses:
---------------------------+------------------------------
Comment (by chriscct7):
Replying to [comment:54 LewisCowles]:
> I tested this morning; WP does not protect against me uploading a text-
file renamed to .png, so there is probably very little to stop me
uploading a malicious payload in any format.
That's not comparable to sanitized SVG upload. A PNG file, on render or
access, does not run scripts. An sanitized SVG can contain JavaScript or
trigger remotely run code. There's quite a few different ways SVG files
can cause malicious output. A good overview of some these issues is:
https://www.blackhat.com/docs/us-14/materials/us-14-DeGraaf-SVG-
Exploiting-Browsers-Without-Image-Parsing-Bugs.pdf
However, as those slides were presented 2 years ago, several new attack
vectors found over the last 2 years are omitted, as well as possibilities
arising from the new SVG 2.0 spec.
> so there is probably very little to stop me uploading a malicious
payload in any format
This would be a security bug. If you find or know a way to do this, please
email security@ wordpress.org so it can be fixed.
> IT took virtually no time at all to build the PoC WP plugin to allow
uploads of SVG. Then WP released an update and the plugin had to be
modified.
The plugin didn't fully sanitize SVGs at the time it was uploaded. Whether
the plugin runs now or not as the result of a WordPress update is
irrelevant. Moreover, the new SVG 2.0 also adds more places for JS to be
placed in an SVG file that the plugin doesn't account for.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:57>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list