Support SVG files for theme logo setting

Created on 6 May 2014, about 10 years ago
Updated 13 April 2024, 2 months ago

Problem

Page: admin/appearance/settings
Action: I want to set an svg image file as the logo

Situation 1:
- Place the file logo.svg myself on the root of the web site.
- Uncheck "Use the default logo supplied by the theme".
- Fill in logo.svg in "Path to custom logo".
- Click "Save configuration".

result: OK, logo changed and displays as expected. See Figure 1 which demonstrates this behavior.

Situation 2:
- Uncheck "Use the default logo supplied by the theme".
- Browse to the logo.svg on my local computer and select it in "Upload logo image".
- Click "Save configuration".

result: file refused with error messages:

    The specified file logo.svg could not be uploaded.
        - Image type not supported. Allowed types: png jpeg gif
        - Only files with the following extensions are allowed: jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp.
    The logo could not be uploaded.

What is wrong:
- The 1st error message comes from the active toolkit in the Image system, but as the logo will not be manipulated by the toolkit, it should stay out of this setting.
- The 2nd error is even stranger as the logo file now suddenly seems to be treated as a regular file upload.

See Figure 2 for error messages when uploading an SVG.

Proposed resolution

  • There should only be a check if the logo is a regular/known image format.
  • Both ways of defining the logo should react the same.

See Figure 3 for expected behavior when uploading an SVG.

User interface changes

Update error messages when uploading an invalid file.

Current (when uploading a .txt file):

The specified file logo.txt could not be uploaded.

    The image file is invalid or the image type is not allowed. Allowed types: png, jpeg, jpg, jpe, gif, webp

Expected:

The specified file logo.txt could not be uploaded.

    Only files with the following extensions are allowed: png gif jpg jpeg apng svg.

See Figure 4 for expected behavior when uploading an invalid file.

Remaining tasks

  • Decide if it's acceptable to mark "administer themes" as "restrict access: true" to gain the functionality of using SVG as the logo.
  • If not, decide how to sanitize SVG images - see comment 176 for details

API changes

None.

<!-- See https://drupal.org/core-mentoring/novice-tasks for tips on identifying novice tasks. Delete or add "Novice" from the Novice? column in the table below as appropriate. Uncomment tasks as the issue advances. Update the Complete? column to indicate when they are done, and maybe reference the comment number where they were done. -->

Screenshots and mockups

Figure 1. Defining a custom logo path after uploading a file directly to the filesystem.

Figure 2. Current core behavior when attempting to upload an SVG.

Figure 3. Expected core behavior when attempting to upload an SVG.

Figure 4. Expected core behavior when attempting to upload an invalid file type.

Feature request
Status

Fixed

Version

10.3

Component
Theme 

Last updated 1 minute ago

Created by

🇫🇷France fietserwin Le Mont-Dore

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Status changed to Needs review about 1 year ago
  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.1 & MySQL 5.7
    last update about 1 year ago
    29,380 pass
  • 🇮🇳India Gauravvv Delhi, India

    Updated default theme path in tests, attached patch for same. please review

  • Status changed to Needs work about 1 year ago
  • 🇺🇸United States smustgrave

    Leaving the issue summary tag for possible cleanup.

    This seems close but think the tests should be expanded to test all the extensions being added.

    Also a change record should be written for it.

  • 🇺🇸United States DamienMcKenna NH, USA

    There's a long-standing concern about allowing SVG uploads to Drupal sites due to the security problems inherent in the format. At the same time, site owners want full control over their sites and should be able to do things that could potentially be harmful to their sites because that's their decision.

    There are 3rd party libraries that can filter SVG content to protect a site, but I don't see that being used here. Therefore, this would allow someone with the "administer themes" permission to upload unfiltered SVG files to the site, which would then be viewed by all visitors.

    One method of absolving core developers of having to somehow protect every site from every possible security vulnerability, while also allowing individual site owners to do what they want with their own site, has been the use of "restricted access" permissions to protect certain site functionality. For example the permission for controlling field configuration is a "restricted" permission, because you could potentially open a site up to security vulnerabilities based upon how you build fields on an entity type.

    The concern with this issue is that (IIRC) this would be the first part of Drupal core that officially allowed uploading SVG files to the site. However, no security tools are being added to protect the site from an unscrupulous user who discovered they'd been given the "administer themes" permission. Furthermore, the "administer themes" permission is not a "restricted" one, therefore some level of protection is warranted.

    Therefore, from a security standpoint IMHO this needs further work - either an SVG security tool be added to core and properly implemented, or the "administer themes" permission be changed to a "restricted access" one.

  • 🇺🇸United States trackleft2

    @DemianMcKenna, There are definitely easy workarounds without a patch where you can upload SVG to a server via a file upload, and a content block.

    This feature request is really just a nice to have, so site owners can use the thing they want.

    We can't be the SVG police in the same way we can't be the text formatter police. The best thing we can do is to inform users that they should be concerned about arbitrarily uploading files from untrusted sources (This isn't SVG specific advice).

    It was mentioned way back in #147 that we should consider rearchitecting how image toolkits are handled, but that did not seem to go over very well.

  • 🇺🇸United States DamienMcKenna NH, USA

    We can't be the SVG police in the same way we can't be the text formatter police.

    But by default Drupal does police HTML content that is rendered on the page via content inserted through text fields. Therefore, we also need to either a) provide filtering for SVG files, or b) change the permission associated with theme administration to one that puts the responsibility squarely on the head of the site owner/builder - that's what the "restricted access" permission flag indicates.

  • Status changed to Needs review about 1 year ago
  • Open on Drupal.org →
    Environment: PHP 8.1 & MySQL 5.7
    last update about 1 year ago
    Waiting for branch to pass
  • 🇺🇸United States DamienMcKenna NH, USA

    This builds on #168 and changes the "administer themes" permission to be a "restricted access" permission, which IMHO would fulfill the security requirements.

  • Status changed to Needs work about 1 year ago
  • 🇺🇸United States smustgrave

    Removing issue summary update which appeared to have been done.

    Can a simple change record be written that announce svgs are now allowed?

    @DamienMcKenna can we remove the Needs security review tag?

  • 🇺🇸United States greggles Denver, Colorado, USA

    With my "security team" hat on I agree with DamienMcKenna's prior comments that if svgs are allowed to be uploaded then we should mark that permission as "restrict access".

    Is this tradeoff worth it to allow uploading of svgs in exchange for marking "administer themes" as a restricted permission?

    An option to not have to add "restrict access: true" for the permission would be to filter the SVG similarly to how text formats filter text - an option for that seems to be https://www.drupal.org/project/svg_sanitizer though if we go that route we should try to also do it for core file upload fields.

    Removing the "Needs security review" tag since I think Damien and I have provided that perspective, but it might need ongoing review so feel free to add back and ping if needed.

    Those tradeoffs and options seem like questions for a framework or product manager.

  • 🇬🇧United Kingdom alexpott 🇪🇺🌍
    +++ b/core/modules/system/src/Form/ThemeSettingsForm.php
    @@ -236,7 +236,9 @@ public function buildForm(array $form, FormStateInterface $form_state, $theme =
    -          'file_validate_is_image' => [],
    +          'file_validate_extensions' => [
    +            'png gif jpg jpeg apng svg',
    +          ],
    

    This will need updating for https://www.drupal.org/node/3363700

  • 🇺🇸United States greggles Denver, Colorado, USA

    Making title more descriptive and changing category. IMO this seems like a feature, to add support for more formats.

  • Status changed to Needs review 7 months ago
  • 🇺🇸United States joegraduate Arizona, USA

    Re-rolled #173 and made change suggested in #177.

  • last update 7 months ago
    30,688 pass
  • Status changed to Needs work 6 months ago
  • 🇺🇸United States smustgrave

    With patches please include an interdiff. Also if possible MRs are recommended now too.

    But moving to NW for the change record.

  • 🇮🇳India manikandank03 Tamil Nadu

    The patch #179 works fine with latest Drupal 10.2.2 with PHP 8.2

  • 🇺🇸United States thejimbirch Cape Cod, Massachusetts

    So to clarify, this just needs a change record and the patch in #179 turned into a merge request to move it forward?

  • 🇺🇸United States thejimbirch Cape Cod, Massachusetts

    thejimbirch changed the visibility of the branch 2259567-parsonsj to hidden.

  • 🇺🇸United States thejimbirch Cape Cod, Massachusetts

    thejimbirch changed the visibility of the branch 2259567-unnecessary-restrictions-on to hidden.

  • 🇺🇸United States thejimbirch Cape Cod, Massachusetts

    Hid some stale files and stale merge requests that were against 9.2 and 9.3.

  • 🇺🇸United States greggles Denver, Colorado, USA

    I don't think that's quite it, but that would be helpful.

    I updated the issue summary to remove an outdated remaining task and add some option items from comment 176.

  • 🇺🇸United States thejimbirch Cape Cod, Massachusetts

    thejimbirch changed the visibility of the branch 9.2.x to hidden.

  • 🇺🇸United States thejimbirch Cape Cod, Massachusetts

    thejimbirch changed the visibility of the branch 10.2.x to hidden.

  • 🇺🇸United States thejimbirch Cape Cod, Massachusetts

    thejimbirch changed the visibility of the branch 10.3.x to hidden.

  • 🇺🇸United States thejimbirch Cape Cod, Massachusetts

    thejimbirch changed the visibility of the branch 11.x to hidden.

  • 🇨🇦Canada taylor_wills

    twills made their first commit to this issue’s fork.

  • Status changed to Needs review 3 months ago
  • 🇨🇦Canada taylor_wills

    MR Added created from patch in comment 179. Draft change record created.

  • Pipeline finished with Success
    3 months ago
    Total: 9422s
    #129641
  • Status changed to Needs work 3 months ago
  • 🇺🇸United States smustgrave

    Hiding the patch as the work is in the MR now.

    Unfortunately think the test needs to be tweaked some as it seems to be passing without the update. See https://git.drupalcode.org/issue/drupal-2259567/-/jobs/1161166

    Testing manually though when I upload a svg it doesn't appear to render.

    Was on standard profile using olivero as frontend theme.

    Removing tag for CR.

  • Pipeline finished with Success
    3 months ago
    Total: 693s
    #129863
  • Status changed to RTBC 3 months ago
  • 🇺🇸United States smustgrave

    Ah found out the problem. The svg wasn’t saving but that wasn’t being checked if the form threw any errors. And when it went to check the logo_path it had the old image png value which was valid because the form never saved.

    I added an assertion for the verification message the form saved

    But also cleared the logo at the end of the loop so new value can be added and doesn't fall back to the previous image in the loop.

    We now get a test only failure https://git.drupalcode.org/issue/drupal-2259567/-/jobs/1163711

    Didn't make any change to the solution so think I'm fine with marking

  • Status changed to Needs review 3 months ago
  • 🇬🇧United Kingdom catch

    Back to needs review for that question. I feel like allowing someone to administer themes allows them to deface your site, apart from their ability to upload malicious SVGs, so it probably make sense to add it?

  • Status changed to RTBC 3 months ago
  • 🇺🇸United States smustgrave

    Responded

  • 🇬🇧United Kingdom alexpott 🇪🇺🌍

    Trying to sort out issue credit. I've tried to credit everyone who has moved this issue on over years with patches, helpful comments. mentoring at cons, working on it at cons. If I've made a mistake please let me know.

  • 🇬🇧United Kingdom alexpott 🇪🇺🌍

    Drupal does provide ample footguns especially behind the restrict access type permissions. I think that this functionality is expected out-of-the-box and therefore we should support it.

    Committed and pushed 537f11dcb5 to 11.x and 340845698d to 10.3.x. Thanks!

    • alexpott committed 34084569 on 10.3.x
      Issue #2259567 by jcnventura, eelkeblok, joegraduate, thejimbirch,...
  • Status changed to Fixed 3 months ago
    • alexpott committed 537f11dc on 11.x
      Issue #2259567 by jcnventura, eelkeblok, joegraduate, thejimbirch,...
  • 🇬🇧United Kingdom alexpott 🇪🇺🌍

    I'm a little bit amused that we've supported svg upload in favicon since #864938: Can't upload .ico favicon ... TIL.

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.69.0 2024