github/svgedit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Filter out bad MIME types from fileopen.php and share allowable array with filesave.php

Browse Source 
git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2617 eee81c28-f429-11dd-99c0-75d572ba1ddd
This commit is contained in:
Brett Zamir
2013-10-29 07:26:29 +00:00
parent 395badc387
commit e17b03a59b
3 changed files with 26 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
editor/extensions/fileopen.php
View File

@@ -12,20 +12,24 @@
// Very minimal PHP file, all we do is Base64 encode the uploaded file and
// return it to the editor
$file = $_FILES['svg_file']['tmp_name'];
$output = file_get_contents($file);
$type = $_REQUEST['type'];
if (!in_array($type, array('load_svg', 'import_svg', 'import_img'))) {
exit;
}
require('allowedMimeTypes.php');
$file = $_FILES['svg_file']['tmp_name'];
$output = file_get_contents($file);
$prefix = '';
// Make Data URL prefix for import image
if($type == 'import_img') {
$info = getimagesize($file);
if (!in_array($info['mime'], $allowedMimeTypesBySuffix)) {
exit;
}
$prefix = 'data:' . $info['mime'] . ';base64,';
}
?>
@@ -33,7 +37,12 @@
<head>
<meta charset="utf-8" />
<script>
window.top.window.svgEditor.processFile("<?php echo $prefix . base64_encode($output); ?>", "<?php echo $type; ?>");
window.top.window.svgEditor.processFile("<?php
// This should be safe since SVG edit does its own filtering (e.g., if an SVG file contains scripts)
echo $prefix . base64_encode($output);
?>", "<?php echo $type; ?>");
</script>
</head><body></body>
</html>