Is it secure (within reason)

It was fixed yesterday before I went to my new meetup without allowing upload of PHP files or other files that are not SVG https://github.com/Lewiscowles1986/WordPressSVGPlugin/

if you really want the largest change to 4.7.1 I think it’s in /wp-admin/includes/file.php. AFAIK I never used to use GD to verify files in the way it does now and it does so without an appropriate hook. GD is used for many plugins and I think the WP core media editing tools. It is a bit of a surprise it doesn’t support SVG, but until it does you have to remove the ‘image/’ prefix from any mime-type not supported by GD.

Hi @gecko_guy,

Allowing SVG uploads is a risk in itself because nasty scripts can be uploaded as SVG files… My plugin has a setting to restrict the ability to upload SVG to admins only to try and provide a little security there.

As for the recent changes, when WP changed the way they handle file types, I added the following function temporarily. It looks like they will be fixing this issue in 4.7.2, which will allow me to remove the function again. This function doesn’t completely disable the upload filter like the wp-config option you mentioned, and it doesn’t allow PHP uploads to media library.

/**
 * TEMP FIX FOR 4.7.1
 * Issue should be fixed in 4.7.2 in which case this will be deleted.
 */
function bodhi_svgs_disable_real_mime_check( $data, $file, $filename, $mimes ) {
	$wp_filetype = wp_check_filetype( $filename, $mimes );

	$ext = $wp_filetype['ext'];
	$type = $wp_filetype['type'];
	$proper_filename = $data['proper_filename'];

	return compact( 'ext', 'type', 'proper_filename' );
}
add_filter( 'wp_check_filetype_and_ext', 'bodhi_svgs_disable_real_mime_check', 10, 4 );

I hope this answers some of your questions.

Hey @lewiscowles,

Your plugin looks really cool, nice neat OOP, thanks for sharing ??

Hi Benbodhi,

Yes, thanks for the info, and thanks also to @lewiscowles for sharing your plugin.

It makes me feel more comfortable just by understanding where things are coming from (on the WP side), and that you are giving as much thought to security as you are.

Really appreciate you taking time to respond, and thanks also for keeping the plugin updated and functional! ??

My pleasure, thanks for your support!