WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #24251, comment 80


Ignore:
Timestamp:
01/09/2019 04:00:13 PM (18 months ago)
Author:
shamank
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #24251, comment 80

    initial v1  
    1 I didn't read the entire thread, but I can understand the reason of not allowing svg uploads because of code injection. Now, vectors are the future and everybody knows and understands the importance of using them in their websites. Wouldn't be a solution to only allow admin uploads? I mean, in the admin you allow even file editing, custom scripts, etc. You can also upload and install themes and plugins from untrusted sources, so if security is so relevant to not allow specific file formats, shouldn't you also block all type of untrusted sources? If a build a theme/plugin and I use svg images inside, will them be also blocked and not executed in user/admin view?
     1I didn't read the entire thread, but I can understand the reason of not allowing svg uploads because of code injection. Now, vectors are the future and everybody knows and understands the importance of using them in their websites. Wouldn't be a solution to only allow admin uploads? I mean, in the admin you allow even file editing, custom scripts, etc. You can also upload and install themes and plugins from untrusted sources, so if security is so relevant to not allow specific file formats, shouldn't you also be blocking all type of untrusted sources? If a build a theme/plugin and I implement svg images inside, will them be also blocked and not executed in user/admin view?
    22
    3 I'm here because I can't use svg files in my theme anymore (something related to latest versions of Avada theme), even using an svg support plugin. So the only solution that worked was this in wp-config.php:
     3I'm here because I can't use svg files in my theme anymore (something related to latest versions of Avada theme), even using an svg support plugin. So the only solution that worked was to add this in wp-config.php:
    44
    55**define('ALLOW_UNFILTERED_UPLOADS', true);**
    66
    7 Do you think this is The way to handle this? Forcing users to allow everything just because of a forbidden (and widely used format across internet) file type? Do you think you lead me to have a more secure website after this?
     7Do you think this is The way to handle this? Forcing users to allow everything just because of a forbidden (and widely used format across internet) file type? Do you think you lead me to have a more secure website after this? Do you think you are not responsible anymore because I added an insecure option by myself and now I deserve to be hacked for that? Why is there such an option if it's supposed to all be completly safe?
    88
    9 **PLEASE**, in the name of future, find a solution to calm down the paranoia on behalf of the common sense.
     9**PLEASE**, in the name of future, find a solution to calm down the paranoia on behalf of the common sense. Maybe adding a ALLOW_RESTRICTED_FILE_SUPPORT_SVG flag.
     10
     11Thank you.