fixes

Author: ljonesfl

src/Validation/IsImage.php

@@ -31,8 +31,9 @@ public function __construct(
 		$this->checkImageData = $checkImageData;
 		$this->allowSvg = $allowSvg;
 
-		// If SVG is explicitly allowed, add it to allowed MIME types
-		if( $this->allowSvg && !in_array( 'image/svg+xml', $this->allowedMimeTypes, true ) )
+		// If SVG is explicitly allowed AND we have MIME type restrictions, add SVG to allowed list
+		// Don't add if allowedMimeTypes is empty (meaning allow all types)
+		if( $this->allowSvg && !empty( $this->allowedMimeTypes ) && !in_array( 'image/svg+xml', $this->allowedMimeTypes, true ) )
 		{
 			$this->allowedMimeTypes[] = 'image/svg+xml';
 		}
@@ -74,7 +75,8 @@ protected function validate( mixed $value ) : bool
 	private function validateDataUri( string $dataUri ) : bool
 	{
 		// Parse data URI: data:[<mediatype>][;base64],<data>
-		$pattern = '/^data:([a-zA-Z0-9][a-zA-Z0-9\/+\-]*);base64,(.+)$/';
+		// Use 's' modifier to allow . to match newlines in base64 data
+		$pattern = '/^data:([a-zA-Z0-9][a-zA-Z0-9\/+\-]*);base64,(.+)$/s';
 
 		if( !preg_match( $pattern, $dataUri, $matches ) )
 		{
@@ -119,22 +121,48 @@ private function validateBase64Image( string $base64Data ) : bool
 			return false;
 		}
 
-		// If we need to check the actual image data
-		if( $this->checkImageData )
+		// Always validate image data to check MIME type restrictions
+		// Even when checkImageData is false, we need to detect the type for MIME validation
+		// but we can skip the more expensive image content validation
+		if( !empty( $this->allowedMimeTypes ) )
 		{
+			// Detect the image type from signatures
+			$detectedType = $this->detectImageType( $decoded );
+
+			// Check for SVG if allowed
+			if( $detectedType === null && $this->allowSvg )
+			{
+				$detectedType = $this->detectSvg( $decoded );
+			}
+
+			// If we couldn't detect a type, it's not a valid image
+			if( $detectedType === null )
+			{
+				return false;
+			}
+
+			// Check if detected type is allowed
+			if( !$this->isMimeTypeAllowed( $detectedType ) )
+			{
+				return false;
+			}
+		}
+		elseif( $this->checkImageData )
+		{
+			// No MIME restrictions but need to validate image data
 			return $this->validateImageData( $decoded );
 		}
 
 		return true;
 	}
 
 	/**
-	 * Validates that the decoded data is actually a valid image.
+	 * Detects image type from binary data signatures.
 	 *
 	 * @param string $imageData
-	 * @return bool
+	 * @return string|null Returns MIME type if detected, null otherwise
 	 */
-	private function validateImageData( string $imageData ) : bool
+	private function detectImageType( string $imageData ) : ?string
 	{
 		// Check for common image file signatures (magic numbers)
 		$signatures = [
@@ -152,7 +180,6 @@ private function validateImageData( string $imageData ) : bool
 		$dataStart = substr( $imageData, 0, 20 );
 
 		// Check for image signatures
-		$detectedType = null;
 		foreach( $signatures as $signature => $mimeType )
 		{
 			if( strpos( $dataStart, $signature ) === 0 )
@@ -163,11 +190,24 @@ private function validateImageData( string $imageData ) : bool
 					continue;
 				}
 
-				$detectedType = $mimeType;
-				break;
+				return $mimeType;
 			}
 		}
 
+		return null;
+	}
+
+	/**
+	 * Validates that the decoded data is actually a valid image.
+	 *
+	 * @param string $imageData
+	 * @return bool
+	 */
+	private function validateImageData( string $imageData ) : bool
+	{
+		// Use the extracted method to detect image type
+		$detectedType = $this->detectImageType( $imageData );
+
 		// Check for SVG separately with more strict validation
 		if( $detectedType === null && $this->allowSvg )
 		{

tests/Validation/IsImageTest.php

@@ -324,6 +324,98 @@ public function testBomRemovalExactSequence()
 		$this->assertTrue( $validatorWithSvg->isValid( $svgEfBase64 ) );
 	}
 
+	/**
+	 * Test data URI with line-wrapped base64 (common in email/MIME).
+	 */
+	public function testDataUriWithLineWrappedBase64()
+	{
+		// PNG image with base64 wrapped at 76 characters (common MIME format)
+		$pngBase64Wrapped = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChw\nGA60e6kgAAAABJRU5ErkJggg==";
+
+		// Test with newline in base64 data
+		$dataUriWithNewline = 'data:image/png;base64,' . $pngBase64Wrapped;
+
+		$validator = new IsImage();
+		// Should pass - newlines are valid in base64 data URIs
+		$this->assertTrue( $validator->isValid( $dataUriWithNewline ) );
+
+		// Test with multiple newlines and spaces (also valid)
+		$pngBase64MultiLine = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJ\n" .
+		                      "AAAADUlEQVR42mNkYPhfDwAChw\n" .
+		                      "GA60e6kgAAAABJRU5ErkJggg==";
+
+		$dataUriMultiLine = 'data:image/png;base64,' . $pngBase64MultiLine;
+		$this->assertTrue( $validator->isValid( $dataUriMultiLine ) );
+
+		// Test with carriage return + newline (Windows style)
+		$pngBase64CRLF = str_replace("\n", "\r\n", $pngBase64Wrapped);
+		$dataUriCRLF = 'data:image/png;base64,' . $pngBase64CRLF;
+		$this->assertTrue( $validator->isValid( $dataUriCRLF ) );
+	}
+
+	/**
+	 * Test MIME type restrictions work for raw base64 input.
+	 */
+	public function testMimeTypeRestrictionsForRawBase64()
+	{
+		// PNG image as raw base64
+		$pngBase64 = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAAAABJRU5ErkJggg==';
+
+		// JPEG image as raw base64
+		$jpegBase64 = '/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAAAAr/xAAUEAEAAAAAAAAAAAAAAAAAAAAA/8QAFQEBAQAAAAAAAAAAAAAAAAAAAAX/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCdABmX/9k=';
+
+		// Validator that only allows JPEG, even with checkImageData=false
+		$jpegOnlyValidator = new IsImage( [ 'image/jpeg' ], null, false );
+
+		// JPEG should pass
+		$this->assertTrue( $jpegOnlyValidator->isValid( $jpegBase64 ) );
+
+		// PNG should fail even with checkImageData=false
+		$this->assertFalse( $jpegOnlyValidator->isValid( $pngBase64 ) );
+
+		// Validator that only allows PNG
+		$pngOnlyValidator = new IsImage( [ 'image/png' ], null, false );
+
+		// PNG should pass
+		$this->assertTrue( $pngOnlyValidator->isValid( $pngBase64 ) );
+
+		// JPEG should fail
+		$this->assertFalse( $pngOnlyValidator->isValid( $jpegBase64 ) );
+	}
+
+	/**
+	 * Test empty allowedMimeTypes with SVG doesn't restrict to SVG only.
+	 */
+	public function testEmptyAllowedMimeTypesWithSvgAllowsAll()
+	{
+		// Empty array means allow all types
+		$validatorAllowAll = new IsImage( [], null, true, true );
+
+		// All image types should pass
+		$jpegBase64 = '/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAAAAr/xAAUEAEAAAAAAAAAAAAAAAAAAAAA/8QAFQEBAQAAAAAAAAAAAAAAAAAAAAX/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCdABmX/9k=';
+		$this->assertTrue( $validatorAllowAll->isValid( $jpegBase64 ) );
+
+		$pngBase64 = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAAAABJRU5ErkJggg==';
+		$this->assertTrue( $validatorAllowAll->isValid( $pngBase64 ) );
+
+		$gifBase64 = 'R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7';
+		$this->assertTrue( $validatorAllowAll->isValid( $gifBase64 ) );
+
+		// SVG should also pass
+		$svgBase64 = base64_encode( '<svg xmlns="http://www.w3.org/2000/svg"></svg>' );
+		$this->assertTrue( $validatorAllowAll->isValid( $svgBase64 ) );
+
+		// Now test with allowSvg=false but empty allowedMimeTypes
+		$validatorNoSvg = new IsImage( [], null, true, false );
+
+		// Non-SVG images should still pass
+		$this->assertTrue( $validatorNoSvg->isValid( $jpegBase64 ) );
+		$this->assertTrue( $validatorNoSvg->isValid( $pngBase64 ) );
+
+		// SVG should fail
+		$this->assertFalse( $validatorNoSvg->isValid( $svgBase64 ) );
+	}
+
 	/**
 	 * Test malformed data URI.
 	 */