The <link> for the Favicon defaults to image/x-icon, even when it would make much more sense to use a different MIME type. Here, we simply default to image/x-icon, but provide specific support for image/x-gif and image/x-png if the file looks like one of those (i.e., ends in the appropriate extension).

Security impact:
Note that this patch might conceivably break if you have a favicon specified with a path like "/.i", in which case the substr will fail with an out-of-bounds error. The likelihood of this is effectively nil (even "/a.b" wouldn't fail, as it has to be shorter than four characters), and it's strictly a failure case, not a security problem, as the out-of-bounds error on substr is unrecoverable. Additionally, this setting can only be configured by the administrator.

drupal-favicon.patch896 bytesBMDan
Members fund testing for the Drupal project. Drupal Association Learn more


Jody Lynn’s picture

Version: 6.6 » 7.x-dev
Status: Needs review » Needs work

We need to get it fixed in HEAD first and then backported. Need a re-roll from HEAD.

BMDan’s picture

Ah, you mean #415710: Favicon.ico defaults to 'type="image/x-icon"'? Am I handy, or what? ;)

BMDan’s picture

Status: Needs work » Closed (duplicate)