Version Description
- A fix for SVGZ uploads failing and not sanitising correctly
Download this release
Release Info
| Developer | enshrined |
| Plugin |  Safe SVG |
| Version | 1.3.4 |
| Comparing to | |
| See all releases | |
Code changes from version 1.3.2 to 1.3.4
- licence.txt +1 -1
- readme.txt +8 -2
- safe-svg.php +34 -4
licence.txt
CHANGED
|
@@ -1,4 +1,4 @@
|
|
| 1 |
-
Safe SVG - Upload and sanitize SVGs within
|
| 2 |
|
| 3 |
Copyright 2015 Daryll Doyle
|
| 4 |
|
| 1 |
+
Safe SVG - Upload and sanitize SVGs within WordPress
|
| 2 |
|
| 3 |
Copyright 2015 Daryll Doyle
|
| 4 |
|
readme.txt
CHANGED
|
@@ -4,7 +4,7 @@ Donate link: http://enshrined.co.uk
|
|
| 4 |
Tags: svg, sanitize, uploads, sanitise, security, svg upload
|
| 5 |
Requires at least: 4.0
|
| 6 |
Tested up to: 4.7.2
|
| 7 |
-
Stable tag: 1.3.
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 10 |
|
|
@@ -45,4 +45,10 @@ Install through the WordPress directory or download, unzip and upload the files
|
|
| 45 |
* Updated underlying library version
|
| 46 |
|
| 47 |
= 1.3.2 =
|
| 48 |
-
* Fix for the mime type issue in 4.7.1. Mad props to @lewiscowles
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
Tags: svg, sanitize, uploads, sanitise, security, svg upload
|
| 5 |
Requires at least: 4.0
|
| 6 |
Tested up to: 4.7.2
|
| 7 |
+
Stable tag: 1.3.4
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 10 |
|
| 45 |
* Updated underlying library version
|
| 46 |
|
| 47 |
= 1.3.2 =
|
| 48 |
+
* Fix for the mime type issue in 4.7.1. Mad props to @lewiscowles
|
| 49 |
+
|
| 50 |
+
= 1.3.3 =
|
| 51 |
+
* Allow SVGZ uploads
|
| 52 |
+
|
| 53 |
+
= 1.3.4 =
|
| 54 |
+
* A fix for SVGZ uploads failing and not sanitising correctly
|
safe-svg.php
CHANGED
|
@@ -2,8 +2,8 @@
|
|
| 2 |
/*
|
| 3 |
Plugin Name: Safe SVG
|
| 4 |
Plugin URI: https://wordpress.org/plugins/safe-svg/
|
| 5 |
-
Description: Allows SVG uploads into
|
| 6 |
-
Version: 1.3.
|
| 7 |
Author: Daryll Doyle
|
| 8 |
Author URI: http://enshrined.co.uk
|
| 9 |
Text Domain: safe-svg
|
|
@@ -49,6 +49,7 @@ if ( ! class_exists( 'safe_svg' ) ) {
|
|
| 49 |
*/
|
| 50 |
public function allow_svg( $mimes ) {
|
| 51 |
$mimes['svg'] = 'image/svg+xml';
|
|
|
|
| 52 |
|
| 53 |
return $mimes;
|
| 54 |
}
|
|
@@ -73,7 +74,10 @@ if ( ! class_exists( 'safe_svg' ) ) {
|
|
| 73 |
if ( $ext === 'svg' ) {
|
| 74 |
$data['type'] = 'image/svg+xml';
|
| 75 |
$data['ext'] = 'svg';
|
| 76 |
-
}
|
|
|
|
|
|
|
|
|
|
| 77 |
|
| 78 |
return $data;
|
| 79 |
}
|
|
@@ -107,17 +111,43 @@ if ( ! class_exists( 'safe_svg' ) ) {
|
|
| 107 |
protected function sanitize( $file ) {
|
| 108 |
$dirty = file_get_contents( $file );
|
| 109 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 110 |
$clean = $this->sanitizer->sanitize( $dirty );
|
| 111 |
|
| 112 |
if ( $clean === false ) {
|
| 113 |
return false;
|
| 114 |
}
|
| 115 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 116 |
file_put_contents( $file, $clean );
|
| 117 |
|
| 118 |
return true;
|
| 119 |
-
|
| 120 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 121 |
}
|
| 122 |
}
|
| 123 |
|
| 2 |
/*
|
| 3 |
Plugin Name: Safe SVG
|
| 4 |
Plugin URI: https://wordpress.org/plugins/safe-svg/
|
| 5 |
+
Description: Allows SVG uploads into WordPress and sanitizes the SVG before saving it
|
| 6 |
+
Version: 1.3.4
|
| 7 |
Author: Daryll Doyle
|
| 8 |
Author URI: http://enshrined.co.uk
|
| 9 |
Text Domain: safe-svg
|
| 49 |
*/
|
| 50 |
public function allow_svg( $mimes ) {
|
| 51 |
$mimes['svg'] = 'image/svg+xml';
|
| 52 |
+
$mimes['svgz'] = 'image/svg+xml';
|
| 53 |
|
| 54 |
return $mimes;
|
| 55 |
}
|
| 74 |
if ( $ext === 'svg' ) {
|
| 75 |
$data['type'] = 'image/svg+xml';
|
| 76 |
$data['ext'] = 'svg';
|
| 77 |
+
} elseif ( $ext === 'svgz' ) {
|
| 78 |
+
$data['type'] = 'image/svg+xml';
|
| 79 |
+
$data['ext'] = 'svgz';
|
| 80 |
+
}
|
| 81 |
|
| 82 |
return $data;
|
| 83 |
}
|
| 111 |
protected function sanitize( $file ) {
|
| 112 |
$dirty = file_get_contents( $file );
|
| 113 |
|
| 114 |
+
// Is the SVG gzipped? If so we try and decode the string
|
| 115 |
+
if ( $is_zipped = $this->is_gzipped( $dirty ) ) {
|
| 116 |
+
$dirty = gzdecode( $dirty );
|
| 117 |
+
|
| 118 |
+
// If decoding fails, bail as we're not secure
|
| 119 |
+
if ( $dirty === false ) {
|
| 120 |
+
return false;
|
| 121 |
+
}
|
| 122 |
+
}
|
| 123 |
+
|
| 124 |
$clean = $this->sanitizer->sanitize( $dirty );
|
| 125 |
|
| 126 |
if ( $clean === false ) {
|
| 127 |
return false;
|
| 128 |
}
|
| 129 |
|
| 130 |
+
// If we were gzipped, we need to re-zip
|
| 131 |
+
if ( $is_zipped ) {
|
| 132 |
+
$clean = gzencode( $clean );
|
| 133 |
+
}
|
| 134 |
+
|
| 135 |
file_put_contents( $file, $clean );
|
| 136 |
|
| 137 |
return true;
|
| 138 |
+
}
|
| 139 |
|
| 140 |
+
/**
|
| 141 |
+
* Check if the contents are gzipped
|
| 142 |
+
* @see http://www.gzip.org/zlib/rfc-gzip.html#member-format
|
| 143 |
+
*
|
| 144 |
+
* @param $contents
|
| 145 |
+
*
|
| 146 |
+
* @return bool
|
| 147 |
+
*/
|
| 148 |
+
protected function is_gzipped( $contents ) {
|
| 149 |
+
return 0 === mb_strpos( $contents , "\x1f" . "\x8b" . "\x08" );
|
| 150 |
+
}
|
| 151 |
}
|
| 152 |
}
|
| 153 |
|
