xml detector: accept XMP/whitespace + refine UTF-16 checks

SoftCreatR · SoftCreatR · commit 240d74ec2742 · 2026-02-09T12:43:48.000+01:00
- tolerate leading whitespace/BOM and XML without declaration - detect XMP/RDF via xpacket and xmpmeta - add tests for new XML/XMP cases and UTF-16 guard paths Fixes FriendsOfFlarum/upload#455
diff --git a/src/SoftCreatR/MimeDetector/Detector/XmlSignatureDetector.php b/src/SoftCreatR/MimeDetector/Detector/XmlSignatureDetector.php
@@ -41,60 +41,146 @@ public function detect(DetectionContext $context): ?MimeTypeMatch
             }
         }
 
-        if ($buffer->checkForBytes([0xFF, 0xFE]) && $this->checkUtf16LeSequence($buffer, '<?xml ', 2)) {
+        if ($buffer->checkForBytes([0xFF, 0xFE]) && $this->isUtf16LeXmlDeclaration($buffer, 2)) {
             return $this->match('xml', 'application/xml');
         }
 
-        if ($buffer->checkForBytes([0xFE, 0xFF]) && $this->checkUtf16BeSequence($buffer, '<?xml ', 2)) {
+        if ($buffer->checkForBytes([0xFE, 0xFF]) && $this->isUtf16BeXmlDeclaration($buffer, 2)) {
             return $this->match('xml', 'application/xml');
         }
 
-        if (
-            $buffer->checkString('<!doctype html')
-            || $buffer->checkString('<!DOCTYPE html')
-            || $buffer->checkString('<html')
-        ) {
-            return $this->match('html', 'text/html');
-        }
-
         return null;
     }
 
     private function detectAsciiXml(FileBuffer $buffer, int $offset): ?MimeTypeMatch
     {
-        if (!$buffer->checkString('<?xml ', $offset)) {
+        $snippet = $buffer->sliceAsString($offset);
+
+        if ($snippet === '') {
+            return null;
+        }
+
+        $snippet = $this->ltrimAsciiWhitespace($snippet);
+
+        if ($snippet === '') {
             return null;
         }
 
-        $searchOffset = $offset + 6;
+        $snippet = \strtolower($snippet);
 
         if (
-            $buffer->searchForBytes($buffer->toBytes('<!doctype svg'), $searchOffset) !== -1
-            || $buffer->searchForBytes($buffer->toBytes('<!DOCTYPE svg'), $searchOffset) !== -1
-            || $buffer->searchForBytes($buffer->toBytes('<svg'), $searchOffset) !== -1
+            !$this->startsWithXmlDeclaration($snippet)
+            && !\str_starts_with($snippet, '<?xpacket')
+            && !$this->startsWithXmlTag($snippet)
         ) {
+            return null;
+        }
+
+        return $this->detectXmlFamily($snippet);
+    }
+
+    private function detectXmlFamily(string $snippet): MimeTypeMatch
+    {
+        if (\str_contains($snippet, '<!doctype svg') || \str_contains($snippet, '<svg')) {
             return $this->match('svg', 'image/svg+xml');
         }
 
-        if (
-            $buffer->searchForBytes($buffer->toBytes('<!doctype html'), $searchOffset) !== -1
-            || $buffer->searchForBytes($buffer->toBytes('<!DOCTYPE html'), $searchOffset) !== -1
-            || $buffer->searchForBytes($buffer->toBytes('<html'), $searchOffset) !== -1
-        ) {
+        if (\str_contains($snippet, '<!doctype html') || \str_contains($snippet, '<html')) {
             return $this->match('html', 'text/html');
         }
 
-        if ($buffer->searchForBytes($buffer->toBytes('<rdf:RDF'), $searchOffset) !== -1) {
+        if (\str_contains($snippet, '<x:xmpmeta') || \str_contains($snippet, '<rdf:rdf')) {
             return $this->match('rdf', 'application/rdf+xml');
         }
 
-        if ($buffer->searchForBytes($buffer->toBytes('<rss version="2.0"'), $searchOffset) !== -1) {
+        if (\str_contains($snippet, '<rss version="2.0"')) {
             return $this->match('rss', 'application/rss+xml');
         }
 
         return $this->match('xml', 'application/xml');
     }
 
+    private function startsWithXmlDeclaration(string $snippet): bool
+    {
+        if (!\str_starts_with($snippet, '<?xml')) {
+            return false;
+        }
+
+        return $this->isAsciiWhitespaceByte($snippet, 5);
+    }
+
+    private function startsWithXmlTag(string $snippet): bool
+    {
+        if (!isset($snippet[0], $snippet[1]) || $snippet[0] !== '<') {
+            return false;
+        }
+
+        $next = $snippet[1];
+
+        if ($next === '?' || $next === '!') {
+            return true;
+        }
+
+        $byte = \ord($next);
+
+        return ($byte >= 0x61 && $byte <= 0x7A) || ($byte >= 0x41 && $byte <= 0x5A) || $next === '_' || $next === ':';
+    }
+
+    private function isAsciiWhitespaceByte(string $snippet, int $offset): bool
+    {
+        if (!isset($snippet[$offset])) {
+            return false;
+        }
+
+        $byte = \ord($snippet[$offset]);
+
+        return \in_array($byte, [0x09, 0x0A, 0x0D, 0x20], true);
+    }
+
+    private function ltrimAsciiWhitespace(string $snippet): string
+    {
+        return \ltrim($snippet, " \t\r\n");
+    }
+
+    private function isUtf16LeXmlDeclaration(FileBuffer $buffer, int $offset): bool
+    {
+        if (!$this->checkUtf16LeSequence($buffer, '<?xml', $offset)) {
+            return false;
+        }
+
+        return $this->isUtf16LeWhitespace($buffer, $offset + 10);
+    }
+
+    private function isUtf16BeXmlDeclaration(FileBuffer $buffer, int $offset): bool
+    {
+        if (!$this->checkUtf16BeSequence($buffer, '<?xml', $offset)) {
+            return false;
+        }
+
+        return $this->isUtf16BeWhitespace($buffer, $offset + 10);
+    }
+
+    private function isUtf16LeWhitespace(FileBuffer $buffer, int $offset): bool
+    {
+        $lowByte = $buffer->get($offset);
+        $highByte = $buffer->get($offset + 1);
+
+        return $lowByte !== null && $highByte === 0x00 && $this->isAsciiWhitespace($lowByte);
+    }
+
+    private function isUtf16BeWhitespace(FileBuffer $buffer, int $offset): bool
+    {
+        $highByte = $buffer->get($offset);
+        $lowByte = $buffer->get($offset + 1);
+
+        return $highByte === 0x00 && $lowByte !== null && $this->isAsciiWhitespace($lowByte);
+    }
+
+    private function isAsciiWhitespace(int $byte): bool
+    {
+        return \in_array($byte, [0x09, 0x0A, 0x0D, 0x20], true);
+    }
+
     private function checkUtf16LeSequence(FileBuffer $buffer, string $value, int $offset): bool
     {
         $bytes = [];
diff --git a/tests/SoftCreatR/MimeDetector/Detector/XmlSignatureDetectorTest.php b/tests/SoftCreatR/MimeDetector/Detector/XmlSignatureDetectorTest.php
@@ -43,6 +43,15 @@ public static function provideXmlSamples(): iterable
         yield 'rdf' => ['<?xml <rdf:RDF></rdf:RDF>', 'rdf', 'application/rdf+xml'];
         yield 'rss' => ['<?xml <rss version="2.0"></rss>', 'rss', 'application/rss+xml'];
         yield 'generic xml' => ['<?xml <root/>', 'xml', 'application/xml'];
+        yield 'xml with leading whitespace' => ["\n\t<?xml <root/>", 'xml', 'application/xml'];
+        yield 'xml without declaration' => ['<root/>', 'xml', 'application/xml'];
+        yield 'truncated xml declaration' => ['<?xml', 'xml', 'application/xml'];
+        yield 'xpacket xmp' => [
+            '<?xpacket begin="id"?>'
+            . '<x:xmpmeta><rdf:RDF></rdf:RDF></x:xmpmeta>',
+            'rdf',
+            'application/rdf+xml',
+        ];
         yield 'utf8 bom xml' => ["\xEF\xBB\xBF<?xml <root/>", 'xml', 'application/xml'];
         yield 'utf16-le xml' => ["\xFF\xFE" . self::toUtf16Le('<?xml <root/>'), 'xml', 'application/xml'];
         yield 'utf16-be xml' => ["\xFE\xFF" . self::toUtf16Be('<?xml <root/>'), 'xml', 'application/xml'];
@@ -74,6 +83,44 @@ public function testReturnsNullForNonXmlContent(): void
         $this->assertNull($match);
     }
 
+    public function testReturnsNullForEmptyPayload(): void
+    {
+        $detector = new XmlSignatureDetector();
+
+        $match = $this->detect($detector, '');
+
+        $this->assertNull($match);
+    }
+
+    public function testReturnsNullForWhitespaceOnlyPayload(): void
+    {
+        $detector = new XmlSignatureDetector();
+
+        $match = $this->detect($detector, " \n\t");
+
+        $this->assertNull($match);
+    }
+
+    public function testReturnsNullForUtf16LeWithoutXmlDeclaration(): void
+    {
+        $detector = new XmlSignatureDetector();
+
+        $payload = "\xFF\xFE" . self::toUtf16Le('not xml');
+        $match = $this->detect($detector, $payload);
+
+        $this->assertNull($match);
+    }
+
+    public function testReturnsNullForUtf16BeWithoutXmlDeclaration(): void
+    {
+        $detector = new XmlSignatureDetector();
+
+        $payload = "\xFE\xFF" . self::toUtf16Be('not xml');
+        $match = $this->detect($detector, $payload);
+
+        $this->assertNull($match);
+    }
+
     /**
      * @throws MimeDetectorException
      */
