Merge pull request from GHSA-59cf-m7v5-wh5w

[BUGFIX] Scan files with extension svg and other mime-types
TYPO3GmbH · May 12, 2020 · b002dbf · b002dbf
2 parents 763a245 + 63eea9e
commit b002dbf
Show file tree

Hide file tree

Showing 23 changed files with 120,808 additions and 1 deletion.
diff --git a/Classes/Service/SvgSanitizerService.php b/Classes/Service/SvgSanitizerService.php
@@ -31,6 +31,8 @@
  */
 class SvgSanitizerService
 {
+    protected $possibleMimeTypes = ['image/svg', 'image/svg+xml', 'application/svg', 'application/svg+xml'];
+
     /**
      * @param string $fileNameAndPath
      * @return bool
@@ -39,7 +41,8 @@ class SvgSanitizerService
     public function isSvgFile($fileNameAndPath)
     {
         $fileInfo = GeneralUtility::makeInstance(FileInfo::class, $fileNameAndPath);
-        return \in_array($fileInfo->getMimeType(), ['image/svg+xml', 'application/svg+xml'], true);
+        return $fileInfo->getExtension() === 'svg'
+            || \in_array(strtolower($fileInfo->getMimeType()), $this->possibleMimeTypes, true);
     }
 
     /**

diff --git a/Tests/Fixtures/CleanSVG/ariaData.svg b/Tests/Fixtures/CleanSVG/ariaData.svg
diff --git a/Tests/Fixtures/CleanSVG/external.svg b/Tests/Fixtures/CleanSVG/external.svg
diff --git a/Tests/Fixtures/CleanSVG/hrefOne.svg b/Tests/Fixtures/CleanSVG/hrefOne.svg
diff --git a/Tests/Fixtures/CleanSVG/hrefTwo.svg b/Tests/Fixtures/CleanSVG/hrefTwo.svg
diff --git a/Tests/Fixtures/CleanSVG/svgOne.svg b/Tests/Fixtures/CleanSVG/svgOne.svg
diff --git a/Tests/Fixtures/CleanSVG/use.svg b/Tests/Fixtures/CleanSVG/use.svg
diff --git a/Tests/Fixtures/CleanSVG/useDos.svg b/Tests/Fixtures/CleanSVG/useDos.svg