Commit 228a48da authored by Hugh Davenport's avatar Hugh Davenport

Escape user uploaded SVG files

Bug #1061980
CVE-2012-2247

Before this patch, if a user uploaded HTML or XML files
then tried to download them, or linked other users to download
them, they would be presented with an escaped version along
with a link to download the original.

Unfortunately, an SVG file can possibly contain unsecure content,
such as javascript, that would be run on the victims browser.

This patch adds SVG files (image/svg+xml) to the list of files
to not display by default.

Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
parent 1626ecbe
......@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
$lastmodified = filemtime($path);
$filesize = filesize($path);
if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') {
if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml' || $mimetype == 'image/svg+xml') {
if (isset($options['downloadurl']) && $filesize < 1024 * 1024) {
display_cleaned_html(file_get_contents($path), $filename, $options);
exit;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment