search

yiisoft / yii2

Yii 2: The Fast, Secure and Professional PHP Framework
http://www.yiiframework.com
BSD 3-Clause "New" or "Revised" License
14.24k stars 6.91k forks source link

ImageValidator and svg files #12801

Closed werew01f closed 8 years ago

werew01f commented 8 years ago

What steps will reproduce the problem?

ImageValidator validateImage always fail for svg file

What is the expected result?

SVG is scalable image type, but structured as XML. I think that image validator should correct validate SVG graphic files.

What do you get instead?

Problem in https://github.com/yiisoft/yii2/blob/master/framework/validators/ImageValidator.php#L133 getimagesize always fails for svg.

Additional info

Q A
Yii version 2.0.10?
PHP version 7.0
Operating system Ubuntu 16.04
alex-code commented 8 years ago

What are you wanting to validate?

samdark commented 8 years ago

SVGs aren't really images so what you should validate is probably XML via XSD.

werew01f commented 8 years ago

i want use imageValidation for png, jpeg and other image files such as svg. i know thats SVG aren't images at all, but its kind of image-type file, so i think that imageValidation should forks for it. Just valid svg or not.

rob006 commented 8 years ago

https://grepular.com/Scalable_Vector_Graphics_and_XSS

samdark commented 8 years ago

Yes, uploaded SVGs should be validated and probably sanitized. Not sure it should be part of the core image validator though...

rob006 commented 8 years ago

Treating svg like regular images will create lot of problems and potential security issues. If I allow users to upload images I would not expect that I need to protect against XSS in uploaded files.

samdark commented 8 years ago

Agree. I'd prefer it as a separate component.