From e17b03a59b073cc588ca60f4decca3d26422c3b6 Mon Sep 17 00:00:00 2001
From: Brett Zamir <brettz9@gmail.com>
Date: Tue, 29 Oct 2013 07:26:29 +0000
Subject: [PATCH] Filter out bad MIME types from fileopen.php and share
 allowable array with filesave.php

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2617 eee81c28-f429-11dd-99c0-75d572ba1ddd
---
 editor/extensions/allowedMimeTypes.php | 11 +++++++++++
 editor/extensions/fileopen.php         | 19 ++++++++++++++-----
 editor/extensions/filesave.php         |  8 +-------
 3 files changed, 26 insertions(+), 12 deletions(-)
 create mode 100644 editor/extensions/allowedMimeTypes.php

diff --git a/editor/extensions/allowedMimeTypes.php b/editor/extensions/allowedMimeTypes.php
new file mode 100644
index 00000000..cad3050c
--- /dev/null
+++ b/editor/extensions/allowedMimeTypes.php
@@ -0,0 +1,11 @@
+<?php
+
+$allowedMimeTypesBySuffix = array(
+    'svg' => 'image/svg+xml',
+    'png' => 'image/png',
+    'jpeg' => 'image/jpeg',
+    'bmp' => 'image/bmp',
+    'webp' => 'image/webp'
+);
+
+?>
\ No newline at end of file
diff --git a/editor/extensions/fileopen.php b/editor/extensions/fileopen.php
index 28ecb8ca..ff9a0cb3 100644
--- a/editor/extensions/fileopen.php
+++ b/editor/extensions/fileopen.php
@@ -12,20 +12,24 @@
 	// Very minimal PHP file, all we do is Base64 encode the uploaded file and
 	// return it to the editor
 	
-	$file = $_FILES['svg_file']['tmp_name'];
-	
-	$output = file_get_contents($file);
-	
 	$type = $_REQUEST['type'];
 	if (!in_array($type, array('load_svg', 'import_svg', 'import_img'))) {
 		exit;
 	}
+	require('allowedMimeTypes.php');
+	
+	$file = $_FILES['svg_file']['tmp_name'];
+	
+	$output = file_get_contents($file);
 	
 	$prefix = '';
 	
 	// Make Data URL prefix for import image
 	if($type == 'import_img') {
 		$info = getimagesize($file);
+		if (!in_array($info['mime'], $allowedMimeTypesBySuffix)) {
+			exit;
+		}
 		$prefix = 'data:' . $info['mime'] . ';base64,';
 	}
 ?>
@@ -33,7 +37,12 @@
 <head>
 <meta charset="utf-8" />
 <script>
-window.top.window.svgEditor.processFile("<?php echo $prefix . base64_encode($output); ?>", "<?php echo $type; ?>");
+window.top.window.svgEditor.processFile("<?php 
+
+// This should be safe since SVG edit does its own filtering (e.g., if an SVG file contains scripts)
+echo $prefix . base64_encode($output);
+
+?>", "<?php echo $type; ?>");
 </script>
 </head><body></body>
 </html>
diff --git a/editor/extensions/filesave.php b/editor/extensions/filesave.php
index 998c12de..0bca52ee 100644
--- a/editor/extensions/filesave.php
+++ b/editor/extensions/filesave.php
@@ -9,13 +9,7 @@
  *
  */
 
-$allowedMimeTypesBySuffix = array(
-    'svg' => 'image/svg+xml',
-    'png' => 'image/png',
-    'jpeg' => 'image/jpeg',
-    'bmp' => 'image/bmp',
-    'webp' => 'image/webp'
-);
+require('allowedMimeTypes.php');
 
 $mime = !isset($_POST['mime']) || !in_array($_POST['mime'], $allowedMimeTypesBySuffix) ? 'image/svg+xml' : $_POST['mime'];