Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow SVGs to be uploaded on all admin pages #240

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Allow SVGs to be uploaded on all admin pages #240

wants to merge 2 commits into from
+1 −6

Conversation

stormrockwell
Copy link

@stormrockwell stormrockwell commented Dec 5, 2024
edited
Loading

Description of the Change

#228
In 2.3.0, there was a breaking change for us, which prevented the addition of SVGs outside of posts or media library. I need the ability to add SVGs on admin pages/tools/terms/etc.

I've made it a lot broader by instead hooking into admin_init, and all of the tests seem to pass except one that doesn't run on develop either for me, "Admin can add SVG block to a post."

I initially went with adding hooks for load-admin.php/load-edit-tags.php/etc, but I didn't see an issue broadening it to all of the admin interfaces, which might be my ignorance of this project. If there are better hooks we can use to cover every case, let me know, and I will make the changes!

How to test the Change

Try adding SVGs to option pages, often added by plugins/themes.

Changelog Entry

Fixed - Bug that prevented admins from uploading SVGs on admin pages outside of the post and media library pages.

Added - New feature
Changed - Existing functionality
Deprecated - Soon-to-be removed feature
Removed - Feature
Fixed - Bug fix
Security - Vulnerability
Developer - Non-functional update

Credits

Just me and whomever helps if we change the hooks!

Checklist:

dkotter
dkotter reviewed Dec 5, 2024
View reviewed changes
Copy link
Collaborator

@dkotter dkotter left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @stormrockwell. While I understand the desire to upload SVGs in more contexts, the changes made in #228 were done to fix a security vulnerability and as such, we're unlikely to change the behavior introduced there.

The short version here is that we only want to allow SVGs to be uploaded in contexts where we can be sure the SVG is passing through our sanitization methods. Otherwise someone could upload an insecure SVG and that could then possibly execute unwanted code. So allowing SVGs to be uploaded in any admin context could allow SVGs to bypass sanitization.

@stormrockwell
Copy link
Author

stormrockwell commented Dec 5, 2024
edited
Loading

@dkotter I understand the reasoning, but it's a bit of a bummer. Has anyone looked into if there's a way to ensure SVGs are sanitized in additional contexts? If not, I can try to look into it at a later date

@dkotter
Copy link
Collaborator

dkotter commented Dec 5, 2024

Has anyone looked into if there's a way to ensure SVGs are sanitized in additional contexts? If not, I can try to look into it at a later date

Our main goal was to ensure SVGs uploaded in traditional contexts pass through sanitization so not sure much time was spent looking at other contexts. Definitely interested though in expanding this so if you have time/interest to dive further into that, would be greatly appreciated

@dkotter dkotter mentioned this pull request Dec 9, 2024
Open
1 task
@stormrockwell
Copy link
Author

stormrockwell commented Dec 16, 2024
edited
Loading

@dkotter Wanted to post an update. I wasn't able to figure out how to bypass the sanitization after the previous security patch adding the wp_handle_sideload_prefilter hook. If someone could provide additional context on an additional hole with hooking in at the admin_init level I can explore more

@wpexplorer
Copy link

@dkotter
@darylldoyle (sorry for the mention, but since you submitted the original pull request I thought you may be interested)

Setting the upload_mimes in the various context (load-post.php, load-post-new.php...etc) can still have security concerns as 3rd party scripts can create their own upload functions within this context (in a metabox for example).

I think it would be better to hook into "plupload_default_settings" which is used to localize the settings passed to the WP uploader.

This would be done by adding svg to the list of allowed extensions:

add_filter( 'plupload_default_settings', function( $settings ) {
	if ( ! empty( $settings['filters']['mime_types'][0]['extensions'] ) ) {
		$settings['filters']['mime_types'][0]['extensions'] .= ',svg';
	} else {
		$settings['filters']['mime_types'][0]['extensions'] = 'svg';
	}
	return $settings;
} );

This way upload_mimes would remain unchanged and only the WP uploader script would be allowed to upload svg files. The the plugin hooks into wp_handle_upload_prefilter which should always be running when using the native WP uploader.

Besides hardening security, SVG's would be allowed in any context that uses the native WP uploader, regardless of where it's being used ;)

  • AJ

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dkotter dkotter dkotter left review comments

@jeffpaul jeffpaul Awaiting requested review from jeffpaul jeffpaul is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@stormrockwell stormrockwell

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stormrockwell @dkotter @wpexplorer @jeffpaul