github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 16:11:08 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Add content-disposition: attachment for SVG uploads

Browse Source 
* strip out the href and xlink:href attributes from use element that
  are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
  uploaded SVGs cannot be opened and executed using the XSS exploit.
  svgs embedded using an img tag do not suffer from the same exploit
This commit is contained in:
Martin Brennan
2020-07-09 13:31:48 +10:00
parent fd38c2fac3
commit 31e31ef449
6 changed files with 37 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/uploads_controller.rb
View File

@ -252,7 +252,7 @@ class UploadsController < ApplicationController
content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type
}
if !FileHelper.is_supported_image?(upload.original_filename)
if !FileHelper.is_inline_image?(upload.original_filename)
opts[:disposition] = "attachment"
elsif params[:inline]
opts[:disposition] = "inline"