Unable to upload .svg file as an attachment

KevinTheJedi

Right click the page, click Inspect, click Network, make sure you check the box to Preserve Logs, upload the file, click on the upload request, look at the Response, and see if it gives you a more detailed error.

Cheers.

erikpahlberg

Invalid File - is the response.

Request headers:
Content-Length: 5257
content-type: multipart/form-data; boundary=------multipartformboundary1677683054727

KevinTheJedi

erikpahlberg

Does the file's mime type match the extension?

Cheers.

erikpahlberg

KevinTheJedi
file --mime-type /home/erik/logopinguin.svg
/home/erik/logopinguin.svg: image/svg+xml
and from network tab:

erikpahlberg

Tried with same version PHP that Osticket is running:
echo mime_content_type('logopinguin.svg') . "\n";

image/svg+xml

KevinTheJedi

erikpahlberg

This method is returning false:

https://github.com/osTicket/osTicket/blob/61263635d982e17bdfd08556e93c972e1d5c612d/include/class.forms.php#L3973

So either the file couldn't be uploaded on the server (ie. no tmp_name), the file type does not include image/ (which is not the case here), or the exif_imagetype does not pass. You can add some var_dump(); statements in that function to see what's missing or what's failing.

Cheers.

erikpahlberg

It seems to me that https://www.php.net/manual/en/function.exif-imagetype.php doesn't support .svg file type? Atleast I didn't find SVG file type in there.

linkonewq

erikpahlberg true, there only gif, jpeg, png are supported

erikpahlberg

static function isValidFile($file) {

    // Check invalid image hacks
    if ($file['tmp_name']
        && stripos($file['type'], 'image/') === 0
        && strpos(mime_content_type($file['tmp_name']), 'image/') === False) {
      return false;
      }
    return true;

}

I changed the function and now it seems to work. I am not a programmer so if you have better solution then I am all ears 🙂 But is it possible for you to look over this and maybe include it in next release?
Thank you for your help!!!

KevinTheJedi

erikpahlberg

That's just a band-aid, not an actual fix. It may work for you but not how it's intended to work. So no, this will not be included in the next release.

Cheers.

labemi

Seems like exif_imagetype doesn't recognise SVG as images (source).

I also changed isValidFile() as mentioned by erikpahlberg by adding the following condition to the Check invalid image hacks part:

&& mime_content_type($file['tmp_name']) != 'image/svg+xml'

This solved the issue for me.

erikpahlberg

Okay, but can Osticket include actual fix in the next release or consider it? Since svg file types are image types but current release doesn't accept it as this.
As far as I understand others should also have this issue?
Maybe you can check my hypothesis that https://www.php.net/manual/en/function.exif-imagetype.php function doesn't recognize .svg file types.

KevinTheJedi

erikpahlberg

We can add it to our list to look into.

Cheers.

erikpahlberg

KevinTheJedi
Thank you, please do!
For now I have to roll with the band-aid fix 🙂

labemi

Experiencing the same issue on latest osTicket 1.18.2. Any info on the fix?

labemi

The only thing one could be concerned about is that there is no method of checking malicious svg code within the svg file. It would be awesome to have a cleaner function that strips potentially dangerous tags from the svg source's xml tree.

If anyone knows an available solution that can easily be implemented via a plugin (or at least a dirty code hack), any source for such an solution is greatly appreciated.

linkonewq Actually exif_imagetype supports even 19 types, with .psd, .ico, and .webp among them (see provided link from php manual).