github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 16:11:08 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Add content-disposition: attachment for SVG uploads

Browse Source 
* strip out the href and xlink:href attributes from use element that
  are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
  uploaded SVGs cannot be opened and executed using the XSS exploit.
  svgs embedded using an img tag do not suffer from the same exploit
This commit is contained in:
Martin Brennan
2020-07-09 13:31:48 +10:00
parent fd38c2fac3
commit 31e31ef449
6 changed files with 37 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/file_helper.rb
View File

@ -17,6 +17,10 @@ class FileHelper
(filename =~ supported_images_regexp).present?
end
def self.is_inline_image?(filename)
(filename =~ inline_images_regexp).present?
end
def self.is_supported_media?(filename)
(filename =~ supported_media_regexp).present?
end
@ -136,6 +140,11 @@ class FileHelper
@@supported_images ||= Set.new %w{jpg jpeg png gif svg ico webp}
end
def self.inline_images
# SVG cannot safely be shown as a document
@@inline_images ||= supported_images - %w{svg}
end
def self.supported_audio
@@supported_audio ||= Set.new %w{mp3 ogg wav m4a}
end
@ -148,6 +157,10 @@ class FileHelper
@@supported_images_regexp ||= /\.(#{supported_images.to_a.join("|")})$/i
end
def self.inline_images_regexp
@@inline_images_regexp ||= /\.(#{inline_images.to_a.join("|")})$/i
end
def self.supported_media_regexp
media = supported_images | supported_audio | supported_video
@@supported_media_regexp ||= /\.(#{media.to_a.join("|")})$/i