The <link> for the Favicon defaults to image/x-icon, even when it would make much more sense to use a different MIME type. Here, we simply default to image/x-icon, but provide specific support for image/x-gif and image/x-png if the file looks like one of those (i.e., ends in the appropriate extension).

Security impact:
Note that this patch might conceivably break if you have a favicon specified with a path like "/.i", in which case the substr will fail with an out-of-bounds error. The likelihood of this is effectively nil (even "/a.b" wouldn't fail, as it has to be shorter than four characters), and it's strictly a failure case, not a security problem, as the out-of-bounds error on substr is unrecoverable. Additionally, this setting can only be configured by the administrator.

Files: 
CommentFileSizeAuthor
drupal-favicon.patch896 bytesBMDan

Comments

Jody Lynn’s picture

Version:6.6» 7.x-dev
Status:Needs review» Needs work

We need to get it fixed in HEAD first and then backported. Need a re-roll from HEAD.

BMDan’s picture

Ah, you mean #415710: Favicon.ico defaults to 'type="image/x-icon"'? Am I handy, or what? ;)

BMDan’s picture

Status:Needs work» Closed (duplicate)