|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79045 Incorrect svg mimetypes detected
Submitted: 2019-12-30 01:30 UTC Modified: 2019-12-30 12:20 UTC
Avg. Score:3.8 ± 0.9
Reproduced:26 of 26 (100.0%)
Same Version:5 (19.2%)
Same OS:5 (19.2%)
From: sloth at 0k dot vc Assigned:
Status: Open Package: Filesystem function related
PHP Version: 7.2.26 OS: Centos 7.5
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: sloth at 0k dot vc
New email:
PHP Version: OS:


 [2019-12-30 01:30 UTC] sloth at 0k dot vc
PHP when given an svg perhaps without the xml header, will return a mime type of image/svg instead of image/svg+xml, however IANA does not list image/svg as an existant mimetype, nor do browsers display it. (

By SVG standards, mimetype returned should always be image/svg+xml, php should also behave consistently for a single type of file. If this is being used to differentiate properly headered SVGs from those that are not as strict, this should be done as part of a file validity check not a mime type check.

Previously reported bug ( was indicated as "Not a bug" due to it being deemed as upstream fault with libmagic. However, libmagic returns svgs missing the xml header as text/plain. This indicates the fault is in the adaptations PHP took to remove that error.

└(~) $ file -i Test.svg
Test.svg: image/svg+xml; charset=utf-8
└(~) $ file -i badge.svg
badge.svg: text/plain; charset=us-ascii

As only php is returning image/svg and this is not a registered mimetype, this can be considered a bug with php.

Test images:
Working svg+xml:
SVG returned as image/svg:

Test script:
echo mime_content_type('./badge.svg'), "\n";
echo mime_content_type('./Test.svg'), "\n";

$finfo = new finfo(FILEINFO_MIME);

$buffer = file_get_contents('./badge.svg');
echo $finfo->buffer($buffer) . "\n";
$buffer = file_get_contents('./Test.svg');
echo $finfo->buffer($buffer) . "\n";

Expected result:
image/svg+xml; charset=us-ascii
image/svg+xml; charset=utf-8

Actual result:
image/svg; charset=us-ascii
image/svg+xml; charset=utf-8


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-30 01:41 UTC] sloth at 0k dot vc
-Summary: incorrect svg mimetypes +Summary: Incorrect svg mimetypes detected
 [2019-12-30 01:41 UTC] sloth at 0k dot vc
More descriptive title
 [2019-12-30 02:01 UTC] phpbugs-xap2kka at mpan dot pl
With PHP 7.4.1 returns the same, bug file 5.37 (on Arch) offers a different output:

Test.svg:  image/svg+xml; charset=utf-8
badge.svg: image/svg; charset=us-ascii

That doesn’t explain, however, why is PHP 7.2.26 returning a different value and why “image/svg” is returned instead of “image/svg+xml”. I do understand that badge.svg is not an XML file and one may be tempted to remove that “+xml”, but if it is not an XML, it is also not an SVG and “image/svg” is equally incorrect. Plus it is not the registered type for SVG.
 [2019-12-30 02:03 UTC] phpbugs-xap2kka at mpan dot pl
“With PHP 7.4.1 *it* returns the same, *but* file 5.37 (on Arch) offers a different output” of course. Too many bugs. :)
 [2019-12-30 12:20 UTC]
The result depends on the version of the magic data; for vanilla

as of file 5.38: image/svg+xml
as of file 5.29: image/svg
former versions: text/plain

Note that file 5.38 has been released only two weeks ago, and that
we certainly won't switch back to the pre file 5.29 behavior.

Also note that active support for PHP 7.2 has ended one month
ago[1], so any fix for this could only go into PHP 7.3.

[1] <>
 [2019-12-30 23:20 UTC] phpbugs-xap2kka at mpan dot pl
But on sloth’s system `file` returns a value different than PHP does. This is the primary reason for re-opening and claiming it to be a PHP bug, as far as I understand. Shouldn’t they both agree on a single system?
 [2019-12-30 23:25 UTC] bugreports at gmail dot com
sadly php has it#s own fork of file-libs
in theory you can rebuild "data_file.c"

in reality this works until the distribution has a to new file-libs and in that case the command suceeds but the resulting php binary is unusable

php ext/fileinfo/create_data_file.php /usr/share/misc/magic.mgc > ext/fileinfo/data_file.c
 [2020-03-25 14:47 UTC] magnar at myrtveit dot com
I also experienced this annoying issue today. Here is a very simple reproduction:
 [2021-07-19 10:17 UTC] tim at decorrespondent dot nl
How is this still a problem after 2 years? The only solution now to properly handle svg files is to manually write an adapter so it will output `image/svg+xml`?
 [2021-11-22 22:44 UTC] sanya dot davyskiba at gmail dot com
After short investigation found that issue related to outdated RFC3023 8.19, since it was added 20 years ago (Jan 2001) when the svg+xml standard not developed yet (see, but after standard accepted in 2008 ( seems they haven't updated RFC3023:

> This media type registration is extracted from Appendix M of the SVG 1.2 Tiny specification.

I have no idea why. Probably it was not so easy that time.

Later on in 2016 related issue for W3C SVG working group closed because of:

> This work is not in scope of the SVG working group for the next year.

and it refers to Web Incubator Community Group (WICG) who should take care of that, but it seems they are not, at least I haven't found related discussions (

Many frameworks (not only all php frameworks, but also in other languages) who refers to RFC3023 sending wrong mime type to header, or they have their own ad-hoc fix to always send image/svg+xml.

For example, "file -i Test.svg" working well because they added svg+xml by default, see

As conclusion: in my opinion it's quite strange situation since we rely on RFC which wasn't updated for two decades. And we sending all PHP-generated content to browsers which relies on different standard (i.e. w3c), so the question is: What exactly standard we must respect — outdated RFC3023 chapter 8.19 or W3C SVGTiny12?
 [2021-11-23 12:14 UTC] sanya dot davyskiba at gmail dot com
The ones who want to use "image/svg+xml" must have to read, otherwise it is big security risk. That probably was the original issue, why by default we don't have this mime type auto-detected.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 21 05:01:30 2024 UTC