[wp-trac] [WordPress Trac] #39552: SVG upload support broken in 4.7.1
WordPress Trac
noreply at wordpress.org
Thu Jan 12 01:08:52 UTC 2017
#39552: SVG upload support broken in 4.7.1
--------------------------+-----------------------------
Reporter: freakpants | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
The added function wp_get_image_mime
{{{#!php
<?php
function wp_get_image_mime( $file ) {
/*
* Use exif_imagetype() to check the mimetype if available or fall
back to
* getimagesize() if exif isn't avaialbe. If either function
throws an Exception
* we assume the file could not be validated.
*/
try {
if ( is_callable( 'exif_imagetype' ) ) {
$mime = image_type_to_mime_type( exif_imagetype(
$file ) );
} elseif ( function_exists( 'getimagesize' ) ) {
$imagesize = getimagesize( $file );
$mime = ( isset( $imagesize['mime'] ) ) ?
$imagesize['mime'] : false;
} else {
$mime = false;
}
} catch ( Exception $e ) {
$mime = false;
}
return $mime;
}
}}}
returns false for svg images.
This results in a security error when uploading svg images.
This is because neither exif-imagetype (http://php.net/manual/en/function
.exif-imagetype.php) nor getimagesize() can correctly determine the svg
mime type. (it is not one of the constants returned, and therefore just
answers with false instead of a constant that would reference
image/svg+xml.
Solution: Use finfo to also validate the svg mime type:
{{{#!php
<?php
$finfo = finfo_open( FILEINFO_MIME_TYPE );
$mime = finfo_file( $finfo, $file );
finfo_close( $finfo );
}}}
The breaking functionality was added in this commit:
https://github.com/WordPress/WordPress/commit/8eff9278234f473b66310f3013b96ac6441a20da
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39552>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list