Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed XSS vulnerability in SVG image uploads [ch10476] #7639

Merged
merged 4 commits into from
Dec 6, 2019
Merged

Fixed XSS vulnerability in SVG image uploads [ch10476] #7639

merged 4 commits into from
Dec 6, 2019

Conversation

snipe
Copy link
Owner

@snipe snipe commented Dec 6, 2019

This breaks the image upload handling (resizing, etc) into a new method in the ImageUploadRequest that also checks for SVGs and sanitizes them. (This improved method of handling uploads is already on v5.)

The severity of this vulnerability is reduced since attack requires interaction, the attacker would need to be an authenticated user of the system, and the attacker would have to either trick the victim into opening the poisoned SVG in a new window, or host it within an iframe (which we prevent.)

It will sanitize an SVG from:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(1);
</script>
</svg>

to

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
</svg>

@snipe
Added enshrined/svg-sanitize
59738c7
@snipe
Added modular image resizing/SVG cleaning method
e8ef0a4 
(This already exists in v5, so I mostly ported it forward and added the SVG sanitizer.)
@snipe
Use improved handleImages method to upload/resize/clean images
9444d93
@snipe
Removed $old_image
4b99aae 
This is handled in the ImageUpload request now
uberbrady
uberbrady approved these changes Dec 6, 2019
View reviewed changes
Copy link
Collaborator

@uberbrady uberbrady left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love how delightfully red this PR is. This seems cleaner all around.

@snipe
Copy link
Owner Author

snipe commented Dec 6, 2019

@inietov @Godmartinz I'm going to go ahead and merge this bad boy, but if you'd like me to walk you through any of this, hit me up in Slack.

@snipe snipe merged commit e71e57f into master Dec 6, 2019
@snipe snipe deleted the fixes/sanitize_svg_uploads branch March 30, 2020 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uberbrady uberbrady uberbrady approved these changes

@inietov inietov Awaiting requested review from inietov

@Godmartinz Godmartinz Awaiting requested review from Godmartinz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@snipe @uberbrady