search

10up / safe-svg

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.
https://wordpress.org/plugins/safe-svg/
GNU General Public License v2.0
272 stars 31 forks source link

Broken media management if simplexml is missing #139

Closed sdmtt closed 1 year ago

sdmtt commented 1 year ago

Describe the bug

When an SVG is uploaded, the plugin calls simplexml_load_file to retrieve the SVG dimensions from the file. However, if the simplexml PHP extension is not installed, the plugin will crash while attempting to generate the metadata for the image.

If you use the media gallery to upload a file then the upload process won't complete and WordPress will throw a generic error message:

The server cannot process the image. This can happen if the server is busy or does not have enough resources to complete the task. Uploading a smaller image may help. Suggested maximum size is 2560 pixels.

However if you upload an image via the REST API, the request will fail with a 500 HTTP error but the image will still be successfully uploaded without metadata. This becomes a problem because you won't be able to access the media gallery afterwards since the plugin will attempt to regenerate the metadata on the fly and crash.

Steps to Reproduce

  1. Upload an image via the REST API. Request will fail with a 500 error.
  2. File will exist in the uploads folder and in the wp_posts table, but there won't be a _wp_attachment_metadata in wp_postmeta.
  3. Try to access the media gallery.

Screenshots, screen recording, code snippet

No response

Environment information

No response

WordPress information

No response

Code of Conduct

jeffpaul commented 1 year ago

@sdmtt thanks for the report and related PR, we'll get this through review and either questions back to you or move along for merge/release... thanks!