github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-22 08:49:06 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: strip xlink:href from uploaded SVGs (#21057)

Browse Source 
This was inadvertently removed in 4c46c7e. In very specific scenarios,
this could be used execute arbitrary JavaScript.

Only affects instances where SVGs are allowed as uploads and CDN is not
configured.
This commit is contained in:
Penar Musaraj 2023-04-11 14:10:44 -04:00 committed by GitHub
parent 087ee8c5e2
commit 0ab3ba5f0d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/upload_creator.rb
View File

@ -497,6 +497,7 @@ class UploadCreator
if use_el.attr("href")
use_el.remove_attribute("href") unless use_el.attr("href").starts_with?("#")
end
use_el.remove_attribute("xlink:href")
end
File.write(@file.path, doc.to_s)
@file.rewind

2
spec/lib/upload_creator_spec.rb
View File

@ -613,7 +613,7 @@ RSpec.describe UploadCreator do
<g>
<use id="valid-use" x="123" href="#pathdef" />
</g>
<use id="invalid-use1" href="https://svg.example.com/evil.svg" />
<use id="invalid-use1" xlink:href="https://svg.example.com/evil.svg" />
<use id="invalid-use2" href="data:image/svg+xml;base64,#{b64}" />
</svg>
XML