updated plugin Menu Icons version 0.13.14
This commit is contained in:
Gitium
@ -6,6 +6,8 @@
|
||||
* @author Dzikri Aziz <kvcrvt@gmail.com>
|
||||
*/
|
||||
|
||||
use enshrined\svgSanitize\Sanitizer;
|
||||
|
||||
require_once dirname( __FILE__ ) . '/image.php';
|
||||
|
||||
/**
|
||||
@ -53,6 +55,108 @@ class Icon_Picker_Type_Svg extends Icon_Picker_Type_Image {
|
||||
|
||||
parent::__construct( $args );
|
||||
add_filter( 'upload_mimes', array( $this, '_add_mime_type' ) );
|
||||
add_filter( 'wp_handle_upload_prefilter', array( $this, '_check_svg_and_sanitize' ) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Sanitize the SVG
|
||||
*
|
||||
* @param string $file Temp file path.
|
||||
*
|
||||
* @return bool|int
|
||||
*/
|
||||
protected function sanitize_svg( $file ) {
|
||||
// We can ignore the phpcs warning here as we're reading and writing to the Temp file.
|
||||
$dirty = file_get_contents( $file ); // phpcs:ignore
|
||||
|
||||
// Is the SVG gzipped? If so we try and decode the string.
|
||||
$is_zipped = $this->is_gzipped( $dirty );
|
||||
if ( $is_zipped && ( ! function_exists( 'gzdecode' ) || ! function_exists( 'gzencode' ) ) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( $is_zipped ) {
|
||||
$dirty = gzdecode( $dirty );
|
||||
|
||||
// If decoding fails, bail as we're not secure.
|
||||
if ( false === $dirty ) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
$sanitizer = new Sanitizer();
|
||||
$clean = $sanitizer->sanitize( $dirty );
|
||||
|
||||
if ( false === $clean ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// If we were gzipped, we need to re-zip.
|
||||
if ( $is_zipped ) {
|
||||
$clean = gzencode( $clean );
|
||||
}
|
||||
|
||||
// We can ignore the phpcs warning here as we're reading and writing to the Temp file.
|
||||
file_put_contents( $file, $clean ); // phpcs:ignore
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the contents are gzipped
|
||||
*
|
||||
* @see http://www.gzip.org/zlib/rfc-gzip.html#member-format
|
||||
*
|
||||
* @param string $contents Content to check.
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
protected function is_gzipped( $contents ) {
|
||||
// phpcs:disable Generic.Strings.UnnecessaryStringConcat.Found
|
||||
if ( function_exists( 'mb_strpos' ) ) {
|
||||
return 0 === mb_strpos( $contents, "\x1f" . "\x8b" . "\x08" );
|
||||
} else {
|
||||
return 0 === strpos( $contents, "\x1f" . "\x8b" . "\x08" );
|
||||
}
|
||||
// phpcs:enable
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the file is an SVG, if so handle appropriately and sanitize.
|
||||
*
|
||||
* @param array $file An array of data for a single file.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function _check_svg_and_sanitize( $file ) {
|
||||
// Ensure we have a proper file path before processing.
|
||||
if ( ! isset( $file['tmp_name'] ) ) {
|
||||
return $file;
|
||||
}
|
||||
|
||||
$file_name = isset( $file['name'] ) ? $file['name'] : '';
|
||||
$wp_filetype = wp_check_filetype_and_ext( $file['tmp_name'], $file_name );
|
||||
$type = ! empty( $wp_filetype['type'] ) ? $wp_filetype['type'] : '';
|
||||
|
||||
if ( 'image/svg+xml' === $type ) {
|
||||
if ( ! current_user_can( 'upload_files' ) ) {
|
||||
$file['error'] = __(
|
||||
'Sorry, you are not allowed to upload files.',
|
||||
'icon-picker'
|
||||
);
|
||||
|
||||
return $file;
|
||||
}
|
||||
|
||||
if ( ! $this->sanitize_svg( $file['tmp_name'] ) ) {
|
||||
$file['error'] = __(
|
||||
"Sorry, this file couldn't be sanitized so for security reasons wasn't uploaded",
|
||||
'icon-picker'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
return $file;
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user