mystream

Hi @benbodhi,

Imagine the $svg file contains a utf8 character or an invalid path.

Instead of $svg being FALSE it will kick out an error. Because it won’t be FALSE, it will move to the ELSE statement.

That will then cause an error with $svg->attributes();

This is the bug I was getting.

I think you need to check if you can read $svg using is_file() or is_readable() etc along with basename and a path so that someone can’t use ../../ to do directory traversal through the code.

Once you know it’s a proper file, in an acceptable place on the drive, and that you can read it, then I think you should either try/catch it or add an error handler in case it fails. If the error handler’s not caught an error, and the $svg variable has returned a resource, then carry on to the else.

I think it’s just more error checking needed when you can’t control the origin of $svg.

These were my notes for it:

// add @ or otherwise validate this
// check this uses basepath()
// check the file exists
// check the file is readable
// check this is an SVG

Is that something you can add?

Thanks,
MyStream

Hi Benbodhi,

Perhaps:

function bodhi_svgs_get_dimensions( $svg ) {

	// Suppress errors internally
	libxml_use_internal_errors(true);

	// Create a known, reliable path
	$path = $_SERVER['DOCUMENT_ROOT'].'/path/to/svg/'.basename($svg);

	// Make sure it exists and can be read
	if(file_exists($path) && is_readable($path)) {
		$svg = simplexml_load_file( $path );

		// Make sure the document returned is valid
		if(false !== $svg) {
			// Rest of your code here
		}
	}
	...