The <link> for the Favicon defaults to image/x-icon, even when it would make much more sense to use a different MIME type. Here, we simply default to image/x-icon, but provide specific support for image/x-gif and image/x-png if the file looks like one of those (i.e., ends in the appropriate extension).
Security impact:
Note that this patch might conceivably break if you have a favicon specified with a path like "/.i", in which case the substr will fail with an out-of-bounds error. The likelihood of this is effectively nil (even "/a.b" wouldn't fail, as it has to be shorter than four characters), and it's strictly a failure case, not a security problem, as the out-of-bounds error on substr is unrecoverable. Additionally, this setting can only be configured by the administrator.
Comment | File | Size | Author |
---|---|---|---|
drupal-favicon.patch | 896 bytes | BMDan | |
Comments
Comment #1
Jody LynnWe need to get it fixed in HEAD first and then backported. Need a re-roll from HEAD.
Comment #2
BMDan CreditAttribution: BMDan commentedAh, you mean #415710: Favicon.ico defaults to 'type="image/x-icon"'? Am I handy, or what? ;)
Comment #3
BMDan CreditAttribution: BMDan commenteddup: #415710: Favicon.ico defaults to 'type="image/x-icon"'