WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#39580 closed defect (bug) (duplicate)

New wp_get_image_mime() function breaks SVG uploads

Reported by: room34 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.1
Component: Upload Keywords:
Focuses: Cc:
PR Number:

Description

I have used the 'upload_mimes' action to add support for uploading SVGs to a site. This was working fine up through WP 4.7, but has broken in 4.7.1. Now an SVG upload returns the "Sorry, this file type is not permitted for security reasons" message, even though I have confirmed SVG is still in the array of allowed MIME types for the site.

I believe I have tracked the cause to the new function wp_get_image_mime(), introduced in 4.7.1. This relies on two core PHP functions, exif_imagetype() and image_type_to_mime_type(), which apparently do not recognize SVG files.

Because the SVG MIME type is "image/svg+xml" (specifically, because its type starts with "image/"), an SVG upload is triggering wp_get_image_mime() to run while validating the upload. But since these PHP functions don't recognize SVG files, wp_get_image_mime() is returning false, even if SVG support has been added with 'upload_mimes'.

I have confirmed that this function is causing SVG uploads to fail by temporarily modifying the function to simply return "image/svg+xml". When it returns that string, SVG uploads work.

I'm aware that there are legitimate security reasons why SVG support is not built in by default, but if a developer specifically uses the 'upload_mimes' action to allow it, I believe that should work.

Change History (3)

#1 @SergeyBiryukov
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @room34, thanks for the ticket!

We're already tracking this issue in #39552 and #39550.

#2 @room34
3 years ago

Thanks! Sorry I failed to locate those tickets before submitting my duplicate.

This ticket was mentioned in Slack in #core by rachelbaker. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.