SVG security

Hey thedwards!

Great point. I am going to do some R&D on risks and assessments towards that.
Do you have any documentations/references that I can use to jumpstart my own investigation so I can better educate the users?

Here’s my basic understanding of risks related towards SVG files that go outside of standard file upload risks.

https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload

I could put a note in the plugin that says something like:
“Warning: Understanding that uploading any file to the system is a potential security risk, it is strongly recommended to only let trusted users to have upload privileges.”

This would see to be a general bit of advice for all WordPress installs and not something exclusive to SVG material. I mean – most image formats can be exploited.

How can I alter my notice above, to provide something of value?

I don’t have a lot references on SVG risks, the only thing I really have found is this video from 2011: https://www.youtube.com/watch?v=v-a77QdoK2I. That stackoverflow question also looks like it outlines the basic issues, at least in the accepted answer.

Your note is good general advice, as you say. My main concern is that not enough people know SVG is not just an image media type. True that most image formats can be exploited, but a “while(true);” statement isn’t even an exploit in SVG and it locks up the browser. I think since this is a popular SVG upload plugin it’s a great place to mention that SVG is a bit more volatile than other image formats.

Personally I would run all my SVG through a purifier but I haven’t had a situation where I need to allow SVG uploads. However SVG is definitely here to stay and I have been considering writing a plugin that does that.

Thanks for your response, I appreciate your willingness to look into this.

Thanks!

I’ll watch that and formulate some action. Happy to put some general guidelines as a platform for security.

Here’s what I’m adding:

“Warning: Understanding that uploading any file to the system is a potential security risk, it is strongly recommended to only let trusted users to have upload privileges.

Resources for understanding security risks:
* https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload
* https://www.youtube.com/watch?v=v-a77QdoK2I
“

Then after adding that note in the README.

I can implement a scan on uploaded files to detect CSS/Javascript
Then allow the users to have a checkbox that says “allow JS” and “allow CSS”. Potentially allow “Java” or maybe approach this from the other end “Allow things other than XML”.

I need to noodle on this a bit.

Instead of writing your own, you might want to look around for a SVG sanitizer that has a few contributors. I am not very familiar with this myself, but it seems like there are a few out there.

Good idea.

We’ll try this and see how it goes: https://github.com/alister-/SVG-Sanitizer

I think whitelisting is a good approach.

Yes, I saw that one too. I agree whitelist is probably best. Also it is nice to use the built in PHP parser.

I actually expected to find a number of scripts, but I guess SVG does not have enough popularity yet.

Solution created/implemented.

I’ll deploy this shortly.

Thanks for bringing it up! If you see room for improvement — please reach out again.