Bug in sanitization with user roles other than admin

  • I have hit an issue when I have a user with role “editor” and no other roles. Regardless of the image I upload, I get the error message “Sorry, this file couldn’t be sanitized so for security reasons and wasn’t uploaded.” (note the period in this error)

    My settings are as follows:
    Restrict SVG uploads to: Administrator, editor, client-admin

    Sanitize SVG While uploading : Yes
    Do not sanitize for these roles : Administrator

    The SVG contains the following code, exported from Sketch:

    <svg width="29px" height="29px" viewBox="0 0 29 29" version="1.1" xmlns="https://www.w3.org/2000/svg" xmlns:xlink="https://www.w3.org/1999/xlink">
    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
        <g id="Mortgage-Discount" transform="translate(-0.010000, 0.710000)">
            <rect id="Rectangle" fill="#044263" fill-rule="nonzero" x="17.18" y="0.55" width="2.84" height="4.32"></rect>
            <polygon id="Path" fill="#044263" points="26.16 8.25 14.4 1.07 2.84 8.25 2.84 26.62 26.16 26.62"></polygon>
            <polygon id="Path" fill="#FFFFFF" points="2.84 8.57 13.86 1.4 14.4 1.07 18.16 3.37 26.16 8.57 26.16 10.6 14.5 3.02 2.84 10.6"></polygon>
            <rect id="Rectangle" fill="#044263" fill-rule="nonzero" x="2.06" y="26.62" width="24.87" height="1.35"></rect>
            <polygon id="Path" fill="#044263" points="0 9.43 14.5 1.77635684e-15 29 9.43 27.44 10.45 14.5 2.03 1.56 10.45"></polygon>
            <rect id="Rectangle" fill="#2D4C60" fill-rule="nonzero" x="5.21" y="12.96" width="8.98" height="8.69"></rect>
            <rect id="Rectangle" fill="#ECF7FB" fill-rule="nonzero" x="5.74" y="13.55" width="7.91" height="7.51"></rect>
            <rect id="Rectangle" fill="#2D4C60" fill-rule="nonzero" x="5.55" y="16.16" width="8.3" height="1"></rect>
            <rect id="Rectangle" fill="#2D4C60" fill-rule="nonzero" x="16.01" y="12.96" width="5.96" height="13.14"></rect>
            <rect id="Rectangle" fill="#19303B" fill-rule="nonzero" x="16.44" y="13.53" width="5.1" height="12.01"></rect>
            <rect id="Rectangle" fill="#ECF7FB" fill-rule="nonzero" x="16.78" y="13.88" width="4.43" height="11.3"></rect>
            <path d="M17.04,19.01 C17.23,19.01 17.38,19.16 17.38,19.35 C17.38,19.54 17.23,19.69 17.04,19.69 C16.85,19.69 16.7,19.54 16.7,19.35 C16.7,19.16 16.85,19.01 17.04,19.01 L17.04,19.01 Z" id="Path" fill="#044263"></path>
            <rect id="Rectangle" fill="#19303B" fill-rule="nonzero" x="16.44" y="20.08" width="5.1" height="1"></rect>
        </g>
    </g>
</svg>

    From looking at the source (attachment.php, line 241), unless I am misreading this, it appears that the code is actually only running sanitization if my user has both:
    1. a role in the restrict uploads to field
    2: A role in the DO NOT sanitize for these roles

    And is actually just returning a generic “Sorry, this file couldn’t be sanitized so for security reasons and wasn’t uploaded.” Note again the period in the error message, which is missing from the return message on line 248 (the message returned when sanitization actually fails)

    In other words, the function bodhi_svgs_sanitize doesn’t appear to ever be called, unless my user has a role in the “Do not sanitize” box. This seems counterintuitive, but perhaps I’m misreading.

    Can you help? with this? Is there anything in my SVG file that seems unusual?

    • This topic was modified 2 years, 3 months ago by surlybirdz.
    • This topic was modified 2 years, 3 months ago by surlybirdz.
Viewing 1 replies (of 1 total)

  • Yes, there is a problem, because plugin config page asks for roles for which sanitization will be skipped (“Do not sanitize for these roles”), an in the plugin code relevant variable named sanitize_on_upload_roles is treated opposite. I’ve solved this issue for myself by changing plugin code in functions/attachment.php file from:

    if ( !empty($bodhi_svgs_options['sanitize_svg']) && $bodhi_svgs_options['sanitize_svg'] === 'on' && $bodhi_svgs_options['sanitize_on_upload_roles'][0] != "none" ) {

    to

    if ( !empty($bodhi_svgs_options['sanitize_svg']) && $bodhi_svgs_options['sanitize_svg'] === 'on') {

    and from

    if( empty($should_sanitize_svg) ) {

    to

    if( !empty($should_sanitize_svg) ) {

    and this works for me. Sanitization is skipped only for selected roles, and if exception field is empty then sanitization is enabled for everyone. Thus, it wont work correctly for a wordpress role named “none” (if one is created and used) because for an empty exception list, this plugin in another part of its code adds bogus “none” element to the variable which holds sanitization exception roles.

Viewing 1 replies (of 1 total)
  • The topic ‘Bug in sanitization with user roles other than admin’ is closed to new replies.