Is it secure (within reason)

  • Resolved gecko_guy

    (@gecko_guy)


    7 years, 3 months ago

    Hey, so there is a lot of discussion and I’m sure you know about the trac tickets relating to SVG and security.

    e.g, this one has been open for years:

    https://core.trac.wordpress.org/ticket/24251

    Recently a lot of people have been thrown out of whack by the recent changes in WP4.7.1 in relation to SVG’s (and .dat) files no longer being allowed.

    Reference:
    https://core.trac.wordpress.org/changeset/39831

    There are some crazy threads out there on working around this:

    http://wordpress.stackexchange.com/questions/252253/cant-upload-svg-files-after-updating-wordpress-4-7-1

    Wow. Allow uploading of php files into the media library, anyone?

    (p.s, anyone reading this thread, I posted that last link above as a crazy example of what NOT to do, unless you want to be hacked).

    So while trying to understand why previous solutions no longer work, I stumbled on this plugin, which does work, but it also makes me wonder if the reason it works could also lead to vulnerability..

    I have of course read the advice offered on the plugin description page, so really the reason I’m posting is to try and understand more in terms of reference to the recent update of WP that blocks SVG’s in most cases unless one overrides things.

    I’ve also read the post which uses the same “fix” you have added for the time being in the latest version of this plugin:

    http://wordpress.stackexchange.com/questions/252143/svg-files-not-uploading-since-most-recent-wp-update

    But.. I do not understand the implications of this really..

    Can you share some further thoughts about the security aspects of this plugin please, and how the recent changes to core have been circumvented/overcome in order to make this plugin continue to function as desired by using this “disable real mime type check”?

    Thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • LewisCowles

    (@lewiscowles)

    7 years, 3 months ago

    It was fixed yesterday before I went to my new meetup without allowing upload of PHP files or other files that are not SVG https://github.com/Lewiscowles1986/WordPressSVGPlugin/

    if you really want the largest change to 4.7.1 I think it’s in /wp-admin/includes/file.php. AFAIK I never used to use GD to verify files in the way it does now and it does so without an appropriate hook. GD is used for many plugins and I think the WP core media editing tools. It is a bit of a surprise it doesn’t support SVG, but until it does you have to remove the ‘image/’ prefix from any mime-type not supported by GD.

    Plugin Author Benbodhi

    (@benbodhi)

    7 years, 3 months ago

    Hi @gecko_guy,

    Allowing SVG uploads is a risk in itself because nasty scripts can be uploaded as SVG files… My plugin has a setting to restrict the ability to upload SVG to admins only to try and provide a little security there.

    As for the recent changes, when WP changed the way they handle file types, I added the following function temporarily. It looks like they will be fixing this issue in 4.7.2, which will allow me to remove the function again. This function doesn’t completely disable the upload filter like the wp-config option you mentioned, and it doesn’t allow PHP uploads to media library.

    
/**
 * TEMP FIX FOR 4.7.1
 * Issue should be fixed in 4.7.2 in which case this will be deleted.
 */
function bodhi_svgs_disable_real_mime_check( $data, $file, $filename, $mimes ) {
	$wp_filetype = wp_check_filetype( $filename, $mimes );

	$ext = $wp_filetype['ext'];
	$type = $wp_filetype['type'];
	$proper_filename = $data['proper_filename'];

	return compact( 'ext', 'type', 'proper_filename' );
}
add_filter( 'wp_check_filetype_and_ext', 'bodhi_svgs_disable_real_mime_check', 10, 4 );

    I hope this answers some of your questions.

    Plugin Author Benbodhi

    (@benbodhi)

    7 years, 3 months ago

    Hey @lewiscowles,

    Your plugin looks really cool, nice neat OOP, thanks for sharing 🙂

    Thread Starter gecko_guy

    (@gecko_guy)

    7 years, 3 months ago

    Hi Benbodhi,

    Yes, thanks for the info, and thanks also to @lewiscowles for sharing your plugin.

    It makes me feel more comfortable just by understanding where things are coming from (on the WP side), and that you are giving as much thought to security as you are.

    Really appreciate you taking time to respond, and thanks also for keeping the plugin updated and functional! 🙂

    Plugin Author Benbodhi

    (@benbodhi)

    7 years, 3 months ago

    My pleasure, thanks for your support!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Is it secure (within reason)’ is closed to new replies.