Changeset 3411413

Timestamp:

12/04/2025 09:03:53 PM (9 days ago)

Author:

ideastocode

Message:

Tested up to 6.9

Location:

enable-svg-webp-ico-upload/trunk

Files:

• README.txt (modified) (2 diffs)
• includes/BaseController.php (modified) (1 diff)
• includes/class-ico.php (modified) (2 diffs)
• includes/class-itc.php (modified) (1 diff)
• itc-svg-upload.php (modified) (2 diffs)

enable-svg-webp-ico-upload/trunk/README.txt

@@ -4 +4 @@
 Tags: SVG, WebP, ico, image, Serve images
 Requires at least: 4.7
-Tested up to: 6.8
-Stable tag: 1.1.3
+Tested up to: 6.9
+Stable tag: 1.1.4
 Requires PHP: 7.0
 License: GPLv2 or later
@@ -49 +49 @@
 
 == Changelog ==
+
+= 1.1.4 =
+* Security fixes
 
 = 1.1.3 =

enable-svg-webp-ico-upload/trunk/includes/BaseController.php

@@ -11 +11 @@
                 'title'     =>'Enable SVG, WebP & ICO Upload',
                 'slug'      =>'itc-svg-upload',
-                'version'   => ( defined( 'ITC_SVG_UPLOAD_VERSION' ) ) ? ITC_SVG_UPLOAD_VERSION: '1.1.3',
+                'version'   => ( defined( 'ITC_SVG_UPLOAD_VERSION' ) ) ? ITC_SVG_UPLOAD_VERSION: '1.1.4',
                 'settings'  =>'itc_svg_upload_settings',
             );

enable-svg-webp-ico-upload/trunk/includes/class-ico.php

@@ -2 +2 @@
 class ITC_SVG_Upload_Ico {
 
-    /**
-     * Adds ICO file type support during the file upload process.
-     * Sanitizes and validates the filename and MIME type to prevent arbitrary file uploads.
-     *
-     * @param array $types Allowed types array containing 'ext' and 'type'.
-     * @param string $file The full path to the file being uploaded.
-     * @param string $filename The name of the file being uploaded.
-     * @param array $mimes Allowed MIME types.
-     * @return array Updated types array with 'ext' and 'type' for ICO files if valid.
-     */
     public function upload_ico_files( $types, $file, $filename, $mimes ) {
-        // Validate the filename for .ico extension
-        if ( false !== strpos( strtolower( $filename ), '.ico' ) ) {
-            // Check file MIME type and validate the ICO file structure
+
+        if ( $this->has_valid_ico_extension( $filename ) ) {
+
             if ( $this->is_valid_ico( $file ) ) {
                 $types['ext'] = 'ico';
                 $types['type'] = 'image/x-icon';
             } else {
-                // Invalidate file type if the file content is not valid
+
                 $types['ext'] = false;
                 $types['type'] = false;
@@ -26 +16 @@
         }
 
+
         return $types;
     }
 
-    /**
-     * Adds ICO MIME type support to WordPress file uploads.
-     * Ensures the MIME type is correctly specified and secure.
-     *
-     * @param array $mimes Allowed MIME types.
-     * @return array Updated MIME types with support for ICO files.
-     */
     public function ico_files( $mimes ) {
-        // Only allow the official MIME type for ICO files
         $mimes['ico'] = 'image/x-icon';
-
         return $mimes;
     }
 
-    /**
-     * Validates the ICO file by checking its content structure.
-     *
-     * @param string $file The path to the file being uploaded.
-     * @return bool True if the file is a valid ICO, false otherwise.
-     */
     private function is_valid_ico( $file ) {
-        // Read the first 4 bytes of the file to check the ICO signature
         $handle = @fopen( $file, 'rb' );
         if ( $handle === false ) {
             return false;
         }
-
         $header = fread( $handle, 4 );
         fclose( $handle );
-
-        // ICO files start with two null bytes followed by 0x01 and 0x00
         return $header === "\x00\x00\x01\x00";
     }
+    
+    private function has_valid_ico_extension( $filename ) {
+        $filename_lower = strtolower( $filename );
+        $extension = '.ico';
+        $extension_length = strlen( $extension );
+        
+        if ( strlen( $filename_lower ) < $extension_length ) {
+            return false;
+        }
+        
+        return substr_compare( $filename_lower, $extension, -$extension_length ) === 0;
+    }
 
+    public function sanitize_upload_filename_prefilter( $file ) {
+        $filename = $file['name'];
+        $pathinfo = pathinfo( $filename );
+        
+
+        $is_possible_ico = false;
+        if ( isset( $pathinfo['extension'] ) ) {
+            $extension_lower = strtolower( $pathinfo['extension'] );
+            $is_possible_ico = ( $extension_lower === 'ico' );
+        }
+        
+
+        if ( $is_possible_ico && isset( $pathinfo['filename'] ) ) {
+
+            if ( strpos( $pathinfo['filename'], '.' ) !== false ) {
+
+                $sanitized_filename = str_replace( '.', '', $pathinfo['filename'] );
+                $file['name'] = $sanitized_filename . '.' . $pathinfo['extension'];
+            }
+        }
+        
+        return $file;
+    }
+
+    public function generate_htaccess_protection() {
+        $htaccess_content = "# Protect ICO files from execution - Generated by Enable SVG, WebP, and ICO Upload plugin\n";
+        $htaccess_content .= "<FilesMatch \"\\.ico$\">\n";
+        $htaccess_content .= "    SetHandler default-handler\n";
+        $htaccess_content .= "    ForceType application/octet-stream\n";
+        $htaccess_content .= "    Header set Content-Disposition attachment\n";
+        $htaccess_content .= "</FilesMatch>\n";
+        
+        return $htaccess_content;
+    }
+
+    public static function activate_plugin() {
+        $instance = new self();
+        
+
+        if ( function_exists( 'apache_get_modules' ) ) {
+            $uploads_dir = wp_upload_dir();
+            $htaccess_path = $uploads_dir['basedir'] . '/.htaccess';
+            
+
+            if ( file_exists( $htaccess_path ) ) {
+                $current_content = file_get_contents( $htaccess_path );
+                $new_rules = $instance->generate_htaccess_protection();
+                
+  
+                if ( strpos( $current_content, 'Protect ICO files from execution' ) === false ) {
+                    file_put_contents( $htaccess_path, $new_rules . "\n" . $current_content, LOCK_EX );
+                }
+            } else {
+
+                file_put_contents( $htaccess_path, $instance->generate_htaccess_protection(), LOCK_EX );
+            }
+        }
+    }
 }

enable-svg-webp-ico-upload/trunk/includes/class-itc.php

@@ -73 +73 @@
             $this->loader->add_filter( 'wp_check_filetype_and_ext', $plugin_ico, 'upload_ico_files', 10, 4 );
             $this->loader->add_filter( 'upload_mimes', $plugin_ico, 'ico_files' );
+            $this->loader->add_filter( 'wp_handle_upload_prefilter', $plugin_ico, 'sanitize_upload_filename_prefilter' );           
+
         }
     }

enable-svg-webp-ico-upload/trunk/itc-svg-upload.php

@@ -10 +10 @@
  * Plugin URI:        https://ideastocode.com/plugins/enable-svg-WebP-ico-upload/
  * Description:       This plugin will enable you to upload SVG, WebP & ICO files
- * Version:           1.1.3
+ * Version:           1.1.4
  * Author:            ideasToCode
  * Author URI:        http://ideastocode.com/
@@ -24 +24 @@
 }
 
-define( 'ITC_SVG_UPLOAD_VERSION', '1.1.3' );
+define( 'ITC_SVG_UPLOAD_VERSION', '1.1.4' );
 if ( ! defined( 'ITC_SVG_UPLOAD_BASENAME' ) ) {
     define( 'ITC_SVG_UPLOAD_BASENAME', plugin_basename( __FILE__ ) );