Marked SVG as high risk.

sybrew · Aug 8, 2023 · 6a04e02 · 6a04e02
1 parent bf106ba
commit 6a04e02
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 14 deletions.
diff --git a/promimetypes.php b/promimetypes.php
@@ -12,7 +12,7 @@
  * Plugin Name: Pro Mime Types - Manage file media types
  * Plugin URI: https://wordpress.org/plugins/pro-mime-types/
  * Description: Enable or block MIME types and file extensions for media / file / attachment uploads through a nifty (network) admin menu.
- * Version: 2.0.0
+ * Version: 2.0.1
  * Author: Sybre Waaijer
  * Author URI: https://cyberwire.nl/
  * License: GPLv3
@@ -174,6 +174,9 @@ function get_allowed_mime_types_settings() {
  * @access private
  */
 function _define_supported_mime_types() {
+
+	$is_svg_i18n = \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' );
+
 	/**
 	 * @since 2.0.0
 	 * array['extension_regex','mime','danger','comment','type']
@@ -203,7 +206,7 @@ function _define_supported_mime_types() {
 				[ 'ico', 'image/x-icon', MIME_DANGER_LEVEL['safe'], '', 'image' ],
 				[ 'jpg|jpeg|jpe|jif|jfif', 'image/jpeg', MIME_DANGER_LEVEL['safe'], '', 'image' ],
 				[ 'png', 'image/png', MIME_DANGER_LEVEL['safe'], '', 'image' ],
-				[ 'svg', 'image/svg+xml', MIME_DANGER_LEVEL['safe'], '', 'image' ],
+				[ 'svg', 'image/svg+xml', MIME_DANGER_LEVEL['high-risk'], $is_svg_i18n, 'image' ],
 				[ 'tif|tiff', 'image/tiff', MIME_DANGER_LEVEL['safe'], '', 'image' ],
 				[ 'webp', 'image/webp', MIME_DANGER_LEVEL['safe'], '', 'image' ],
 
@@ -241,9 +244,9 @@ function _define_supported_mime_types() {
 				// Document formats.
 				[ 'doc', 'application/msword', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'document' ],
 				[ 'docm', 'application/vnd.ms-word.document.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'document' ],
-				[ 'docx', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'document' ],
+				[ 'docx', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'document' ],
 				[ 'dotm', 'application/vnd.ms-word.template.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'document' ],
-				[ 'dotx', 'application/vnd.openxmlformats-officedocument.wordprocessingml.template', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'document' ],
+				[ 'dotx', 'application/vnd.openxmlformats-officedocument.wordprocessingml.template', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'document' ],
 				[ 'odt', 'application/vnd.oasis.opendocument.text', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'document' ],
 				[ 'oxps', 'application/oxps', MIME_DANGER_LEVEL['safe'], '', 'document' ],
 				[ 'pages', 'application/vnd.apple.pages', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'document' ],
@@ -263,23 +266,23 @@ function _define_supported_mime_types() {
 				[ 'xlam', 'application/vnd.ms-excel.addin.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'spreadsheet' ],
 				[ 'xlsb', 'application/vnd.ms-excel.sheet.binary.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'spreadsheet' ],
 				[ 'xlsm', 'application/vnd.ms-excel.sheet.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'spreadsheet' ],
-				[ 'xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'spreadsheet' ],
+				[ 'xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'spreadsheet' ],
 				[ 'xltm', 'application/vnd.ms-excel.template.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'spreadsheet' ],
-				[ 'xltx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.template', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'spreadsheet' ],
+				[ 'xltx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.template', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'spreadsheet' ],
 
 				// Interactive formats.
 				[ 'key', 'application/vnd.apple.keynote', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'interactive' ],
 				[ 'odp', 'application/vnd.oasis.opendocument.presentation', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'interactive' ],
 				[ 'pot|pps|ppt', 'application/vnd.ms-powerpoint', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'interactive' ],
 				[ 'potm', 'application/vnd.ms-powerpoint.template.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'interactive' ],
-				[ 'potx', 'application/vnd.openxmlformats-officedocument.presentationml.template', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'interactive' ],
+				[ 'potx', 'application/vnd.openxmlformats-officedocument.presentationml.template', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'interactive' ],
 				[ 'ppam', 'application/vnd.ms-powerpoint.addin.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'interactive' ],
 				[ 'ppsm', 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'interactive' ],
-				[ 'ppsx', 'application/vnd.openxmlformats-officedocument.presentationml.slideshow', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'interactive' ],
+				[ 'ppsx', 'application/vnd.openxmlformats-officedocument.presentationml.slideshow', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'interactive' ],
 				[ 'pptm', 'application/vnd.ms-powerpoint.presentation.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'interactive' ],
-				[ 'pptx', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'interactive' ],
+				[ 'pptx', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'interactive' ],
 				[ 'sldm', 'application/vnd.ms-powerpoint.slide.macroEnabled.12', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'interactive' ],
-				[ 'sldx', 'application/vnd.openxmlformats-officedocument.presentationml.slide', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'interactive' ],
+				[ 'sldx', 'application/vnd.openxmlformats-officedocument.presentationml.slide', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'interactive' ],
 
 				// Text formats.
 				[ 'csv', 'text/csv', MIME_DANGER_LEVEL['safe'], '', 'text' ],
@@ -301,10 +304,10 @@ function _define_supported_mime_types() {
 
 				// Code formats.
 				[ 'css', 'text/css', MIME_DANGER_LEVEL['high-risk'], \__( 'CSS can import external resources in the browser.', 'pro-mime-types' ), 'code' ],
-				[ 'dfxp', 'application/ttaf+xml', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'code' ],
+				[ 'dfxp', 'application/ttaf+xml', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'code' ],
 				[ 'htm|html', 'text/html', MIME_DANGER_LEVEL['dangerous'], \__( 'Can run in iframes through shortcodes. Can import javascript. Can import CSS.', 'pro-mime-types' ), 'code' ],
 				[ 'js', 'application/javascript', MIME_DANGER_LEVEL['dangerous'], \__( 'Can execute code in browser.', 'pro-mime-types' ), 'code' ],
-				[ 'xml', 'application/xhtml+xml', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'code' ],
+				[ 'xml', 'application/xhtml+xml', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'code' ],
 				// [ 'php', 'application/x-httpd-php', MIME_DANGER_LEVEL['dangerous'], \__( 'This server is built to execute these file types as-is. Do not allow uploading of this file type.', 'pro-mime-types' ), 'code' ], // Let's not. This 'feature' will block us from many hosts.
 
 				// Misc application formats.
@@ -313,7 +316,7 @@ function _define_supported_mime_types() {
 				[ 'mdb', 'application/vnd.ms-access', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'misc' ],
 				[ 'mpp', 'application/vnd.ms-project', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'misc' ],
 				[ 'odb', 'application/vnd.oasis.opendocument.database', MIME_DANGER_LEVEL['low-risk'], \__( 'Can contain macros which office software may execute.', 'pro-mime-types' ), 'misc' ],
-				[ 'odc', 'application/vnd.oasis.opendocument.chart', MIME_DANGER_LEVEL['low-risk'], \__( 'XML file formats can be executed by the browser when interpreted as HTML.', 'pro-mime-types' ), 'misc' ],
+				[ 'odc', 'application/vnd.oasis.opendocument.chart', MIME_DANGER_LEVEL['low-risk'], $is_svg_i18n, 'misc' ],
 				[ 'odf', 'application/vnd.oasis.opendocument.formula', MIME_DANGER_LEVEL['safe'], '', 'misc' ],
 				[ 'odg', 'application/vnd.oasis.opendocument.graphics', MIME_DANGER_LEVEL['safe'], '', 'misc' ],
 				[ 'onetoc|onetoc2|onetmp|onepkg', 'application/onenote', MIME_DANGER_LEVEL['safe'], '', 'misc' ],

diff --git a/readme.txt b/readme.txt
@@ -5,7 +5,7 @@ Tags: mimes, mime types, types, multisite, network, upload, attachment, security
 Requires at least: 5.3
 Tested up to: 6.2
 Requires PHP: 7.4.0
-Stable tag: 2.0.0
+Stable tag: 2.0.1
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -51,8 +51,21 @@ Not all PHP installations recognize MIME types the same way, making it difficult
 
 If you find an issue, please open a [support topic](https://wordpress.org/support/plugin/pro-mime-types/#new-topic-0) or [GitHub issue](https://github.com/sybrew/pro-mime-types/issues/new) and detail your website's [PHP version](https://wordpress.org/documentation/article/site-health-screen/#server) and image extension so we can start investigating the MIME type.
 
+= Which file extensions are supported? ==
+
+`bmp`, `gif`, `heic`, `heif`, `ico`, `jpg`, `jpeg`, `jpe`, `jif`, `jfif`, `png`, `svg`, `tif`, `tiff`, `webp`,  `aac`, `ac3`, `aff`, `aif`, `aiff`, `flac`, `mid`, `midi`, `mka`, `mp1`, `mp2`, `mp3`, `m3a`, `m4a`, `m4b`, `ogg`, `oga`, `ra`, `ram`, `wav`, `wax`, `wma`,  `3g2`, `3gp2`, `3gp`, `3gpp`, `asf`, `asx`, `avi`, `divx`, `mkv`, `mov`, `qt`, `mp4`, `m4v`, `mpeg`, `mpg`, `mpe`, `mpv`, `vob`, `ogv`, `ogm`, `rm`, `webm`, `wm`, `wmv`, `wmx`,  `doc`, `docm`, `docx`, `dotm`, `dotx`, `odt`, `oxps`, `pages`, `pdf`, `psd`, `ai`, `rtf`, `wri`, `wp`, `wpd`, `xcf`, `xps`,  `numbers`, `ods`, `xla`, `xls`, `xlt`, `xlw`, `xlam`, `xlsb`, `xlsm`, `xlsx`, `xltm`, `xltx`,  `key`, `odp`, `pot`, `pps`, `ppt`, `potm`, `potx`, `ppam`, `ppsm`, `ppsx`, `pptm`, `pptx`, `sldm`, `sldx`,  `csv`, `ics`, `md`, `rtx`, `tsv`, `txt`, `asc`, `c`, `cc`, `h`, `srt`, `vtt`,  `7z`, `cab`, `gz`, `gzip`, `img`, `2mg`, `smi`, `dmg`, `rar`, `tar`, `zip`,  `css`, `dfxp`, `htm`, `html`, `js`, `xml`, `php`,  `class`, `exe`, `mdb`, `mpp`, `odb`, `odc`, `odf`, `odg`, `onetoc`, `onetoc2`, `onetmp`, and `onepkg`.
+
+= Which MIME types are supported? =
+
+`image/bmp`, `image/gif`, `image/heic`, `image/x-icon`, `image/jpeg`, `image/png`, `image/svg+xml`, `image/tiff`, `image/webp`, `audio/aac`, `audio/ac3`, `audio/aiff`, `audio/flac`, `audio/midi`, `audio/x-matroska`, `audio/mpeg`, `audio/ogg`, `audio/x-realaudio`, `audio/wav`, `audio/x-ms-wax`, `audio/x-ms-wma`, `video/3gpp2`, `video/3gpp`, `video/x-ms-asf`, `video/avi`, `video/divx`, `video/x-matroska`, `video/quicktime`, `video/mp4`, `video/mpeg`, `video/ogg`, `application/vnd.rn-realmedia`, `video/webm`, `video/x-ms-wm`, `video/x-ms-wmv`, `video/x-ms-wmx`, `application/msword`, `application/vnd.ms-word.document.macroEnabled.12`, `application/vnd.openxmlformats-officedocument.wordprocessingml.document`, `application/vnd.ms-word.template.macroEnabled.12`, `application/vnd.openxmlformats-officedocument.wordprocessingml.template`, `application/vnd.oasis.opendocument.text`, `application/oxps`, `application/vnd.apple.pages`, `application/pdf`, `image/vnd.adobe.photoshop`, `application/postscript`, `application/rtf`, `application/vnd.ms-write`, `application/wordperfect`, `image/x-xcf`, `application/vnd.ms-xpsdocument`, `application/vnd.apple.numbers`, `application/vnd.oasis.opendocument.spreadsheet`, `application/vnd.ms-excel`, `application/vnd.ms-excel.addin.macroEnabled.12`, `application/vnd.ms-excel.sheet.binary.macroEnabled.12`, `application/vnd.ms-excel.sheet.macroEnabled.12`, `application/vnd.openxmlformats-officedocument.spreadsheetml.sheet`, `application/vnd.ms-excel.template.macroEnabled.12`, `application/vnd.openxmlformats-officedocument.spreadsheetml.template`, `application/vnd.apple.keynote`, `application/vnd.oasis.opendocument.presentation`, `application/vnd.ms-powerpoint`, `application/vnd.ms-powerpoint.template.macroEnabled.12`, `application/vnd.openxmlformats-officedocument.presentationml.template`, `application/vnd.ms-powerpoint.addin.macroEnabled.12`, `application/vnd.ms-powerpoint.slideshow.macroEnabled.12`, `application/vnd.openxmlformats-officedocument.presentationml.slideshow`, `application/vnd.ms-powerpoint.presentation.macroEnabled.12`, `application/vnd.openxmlformats-officedocument.presentationml.presentation`, `application/vnd.ms-powerpoint.slide.macroEnabled.12`, `application/vnd.openxmlformats-officedocument.presentationml.slide`, `text/csv`, `text/calendar`, `text/markdown`, `text/richtext`, `text/tab-separated-values`, `text/plain`, `text/vtt`, `application/x-7z-compressed`, `application/vnd.ms-cab-compressed`, `application/x-gzip`, `application/x-apple-diskimage`, `application/rar`, `application/x-tar`, `application/zip`, `text/css`, `application/ttaf+xml`, `text/html`, `application/javascript`, `application/xhtml+xml`, `application/x-httpd-java`, `application/x-msdownload`, `application/vnd.ms-access`, `application/vnd.ms-project`, `application/vnd.oasis.opendocument.database`, `application/vnd.oasis.opendocument.chart`, `application/vnd.oasis.opendocument.formula`, `application/vnd.oasis.opendocument.graphics`, and `application/onenote`.
+
 == Changelog ==
 
+= 2.0.1 =
+
+* `.svg` was inattentively marked as a "safe" file extension, which it's not. Consider using the [Safe SVG plugin](https://wordpress.org/plugins/safe-svg/) to sanitize SVG uploads (you must still allow them via Pro Mime Types). If you do not use SVGs, you should disallow it being uploaded.
+* Improved performance by caching repeated translations.
+
 = 2.0.0 =
 
 After eight years without updates (yet still working with the latest version of WordPress), Pro Mime Types got rewritten from the ground up. Now it's written by a senior PHP developer (me) instead of a noob (also me).