Changeset 949454

Timestamp:

07/16/2014 08:13:53 AM (12 years ago)

Author:

sterlo

Message:

Update to latest v2.3.1 codebase from GitHub.

Location:

scalable-vector-graphics-svg/trunk

Files:

• library (added)
• library/class.svg-sanitizer.php (added)
• library/data.svg-whitelist.php (added)
• readme.txt (modified) (3 diffs)
• scalable-vector-graphics.php (modified) (3 diffs)

scalable-vector-graphics-svg/trunk/readme.txt

@@ -4 +4 @@
 Tags: svg, scalable, vector, graphics, mime, type, images, uploads
 Requires at least: 3.0
-Tested up to: 3.9
+Tested up to: 4.0-beta1
 Stable tag: trunk
 License: GPLv2 or later
@@ -16 +16 @@
 
 The main project page is located here: [http://sterlinghamilton.com/projects/scalable-vector-graphics-svg/](http://sterlinghamilton.com/projects/scalable-vector-graphics-svg/ "Scalable Vector Graphics (SVG) | Sterling Hamilton")
+
+Warning: Understanding that uploading any file to the system is a potential security risk, it is strongly recommended to only let trusted users to have upload privileges.
+
+Resources for understanding security risks:
+* http://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload
+* https://www.youtube.com/watch?v=v-a77QdoK2I
 
 == Installation ==
@@ -38 +44 @@
 * IMPORTANT: Anyone using the version prior to 2.0 were using shortcodes to display SVG files. You will have to go back and replace those shortcodes with actual image tags. If you're not familiar with HTML, you can just delete the shortcode out of the page/post and then insert the SVG file as you would any other image.
 * Thanks to the guys over at mozilla.org for kicking me in the butt to actually fix this thing: https://bugzilla.mozilla.org/show_bug.cgi?id=721830
+= 2.2.1 =
+* Added a security library to scan all uploaded SVG files. It has a list of "expected" elements and attributes, if the file contains thing it does not expect, it removes them. This will include things like Javascript.
+* The security cannot be perfect and it is recommended to only provide upload privileges to trusted users.
+* Props to thedwards for bringing this to my attention.
+= 2.3.1 =
+* Added inline styling to tha administration area so SVG attachments will show up in list/grid views.
+* Props to shield-9 (Daisuke Takahashi) for the code.

scalable-vector-graphics-svg/trunk/scalable-vector-graphics.php

@@ -4 +4 @@
  * Plugin URI: http://sterlinghamilton.com/projects/scalable-vector-graphics-svg/
  * Description: Scalable Vector Graphics are two-dimensional vector graphics, that can be both static and dynamic. This plugin allows your to easily use them on your site.
- * Version: 2.1.1
+ * Version: 2.3.1
  * Author: Sterling Hamilton
  * Author URI: http://sterlinghamilton.com
@@ -28 +28 @@
     public function execute() {
         $this->_enable_svg_mime_type();
+        add_filter( 'wp_handle_upload_prefilter', array( $this, 'sanitize_svg' ) );
+        add_action( 'admin_enqueue_scripts', array( $this, 'styles' ) );
+    }
+
+    // Here we use a whitelist library to attempt at sanitizing potential security threats.
+    public function sanitize_svg( $file ) {
+        if( $file[ 'type' ] == 'image/svg+xml' ) {
+            require_once 'library/class.svg-sanitizer.php';
+
+            $svg = new SvgSanitizer();
+            // We read in the temporary file prior to WordPress moving it.
+            $svg->load( $file[ 'tmp_name' ] );
+            $svg->sanitize();
+            $sanitized_svg = $svg->saveSVG();
+
+            global $wp_filesystem;
+            $creds = request_filesystem_credentials(site_url() . '/wp-admin/', '', FALSE, FALSE, array());
+            if ( ! WP_Filesystem( $creds ) ) {
+                request_filesystem_credentials( $url, '', TRUE, FALSE, NULL );
+            }
+
+            // Using the filesystem API provided by WordPress, we replace the contents of the temporary file and then let the process continue as normal.
+            $replace_uploaded_file = $wp_filesystem->put_contents($file['tmp_name'], $sanitized_svg, FS_CHMOD_FILE);
+        }
+
+        return $file;
     }
 
@@ -44 +70 @@
     }
 
+    public function styles() {
+        wp_add_inline_style( 'wp-admin', "img.attachment-80x60[src$='.svg'] { width: 100%; height: auto; }" );
+    }
 }