From 7cc7fc6d34ac8f1e84b6cd199e4cd36e25894da2 Mon Sep 17 00:00:00 2001
From: "Soare Robert Daniel (Mac 2023)" <soare.robert.daniel@protonmail.com>
Date: Fri, 25 Oct 2024 11:42:06 +0300
Subject: [PATCH] fix: SVG sanitization for file uploaded with 'sideload'
 action

---
 inc/class-main.php        |   5 +++++
 tests/assets/test-img.png | Bin 0 -> 67 bytes
 tests/test-svg-upload.php |  22 +++++++++++++++++++++-
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 tests/assets/test-img.png

diff --git a/inc/class-main.php b/inc/class-main.php
index 7cde4d20b9..069472b3f8 100644
--- a/inc/class-main.php
+++ b/inc/class-main.php
@@ -42,6 +42,7 @@ public function init() {
 		if ( ! function_exists( 'is_wpcom_vip' ) ) {
 			add_filter( 'upload_mimes', array( $this, 'allow_meme_types' ), PHP_INT_MAX ); // phpcs:ignore WordPressVIPMinimum.Hooks.RestrictedHooks.upload_mimes
 			add_filter( 'wp_handle_upload_prefilter', array( $this, 'check_svg_and_sanitize' ) );
+			add_filter( 'wp_handle_sideload_prefilter', array( $this, 'check_svg_and_sanitize' ) );
 			add_filter( 'wp_check_filetype_and_ext', array( $this, 'fix_mime_type_json_svg' ), 75, 3 );
 			add_filter( 'wp_generate_attachment_metadata', array( $this, 'generate_svg_attachment_metadata' ), PHP_INT_MAX, 2 );
 		}
@@ -398,6 +399,10 @@ public function check_svg_and_sanitize( $file ) {
 					'otter-blocks'
 				);
 			}
+
+			$path_info     = pathinfo( $file['name'] );
+			$unique_suffix = '-' . substr( md5 (uniqid() ), 0, 6 );
+			$file['name']  = $path_info['filename'] . $unique_suffix . '.' . $path_info['extension'];
 		}
 
 		return $file;
diff --git a/tests/assets/test-img.png b/tests/assets/test-img.png
new file mode 100644
index 0000000000000000000000000000000000000000..252d9502d8573d033e633f5e377d81bebf8afd36
GIT binary patch
literal 67
zcmeAS@N?(olHy`uVBq!ia0vp^j35jm7|ip2ssJf2PZ!6K3dZCFAe)JSvAC2`0?1<U
MboFyt=akR{07$wE0RR91

literal 0
HcmV?d00001

diff --git a/tests/test-svg-upload.php b/tests/test-svg-upload.php
index 16e776e7a2..2c5e10517a 100644
--- a/tests/test-svg-upload.php
+++ b/tests/test-svg-upload.php
@@ -21,7 +21,7 @@ private function handle_upload( $file ) {
 
 		if ( file_exists( $tmp_path ) ) {
 			return [
-				'name'     => $file,
+				'name'     => $filename,
 				'type'     => 'image/svg+xml',
 				'tmp_name' => $tmp_path,
 				'error'    => 0,
@@ -44,9 +44,29 @@ public function test_svg_upload() {
 		// We check that no error was attached.
 		$this->assertTrue( empty( $response['error'] ) );
 
+		// Check if the filename has been changed.
+		$this->assertNotEquals( $file['name'], $response['name'] );
+
 		$contents = file_get_contents( $response['tmp_name'] );
 
 		// We check that the SVG was sanitized.
 		$this->assertTrue( strpos( $contents, '<script>' ) === false );
 	}
+
+	public function test_non_svg_upload() {
+		// Set the user as the current user.
+		wp_set_current_user( 1 );
+
+		$main = new ThemeIsle\GutenbergBlocks\Main();
+		$main->init();
+		
+		$file = $this->handle_upload( __DIR__ . '/assets/test-img.png' );
+		$response = $main->check_svg_and_sanitize( $file );
+
+		// We check that no error was attached.
+		$this->assertTrue( empty( $response['error'] ) );
+
+		// The filter should not change non-svg file names.
+		$this->assertEquals( $file['name'], $response['name'] );
+	}
 }