Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: strip `xlink:href` from uploaded SVGs (#21058) 

This was inadvertently removed in 4c46c7e. In very specific scenarios,
this could be used execute arbitrary JavaScript.

Only affects instances where SVGs are allowed as uploads and CDN is not
configured.
This commit is contained in:
Penar Musaraj 2023-04-11 14:15:41 -04:00 committed by GitHub
parent dc3aaf852b
commit 7468b78885
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/upload_creator.rb
View File

@ -500,6 +500,7 @@ class UploadCreator
if use_el.attr("href")
use_el.remove_attribute("href") unless use_el.attr("href").starts_with?("#")
end
use_el.remove_attribute("xlink:href")
end
File.write(@file.path, doc.to_s)
@file.rewind

2
spec/lib/upload_creator_spec.rb
View File

@ -613,7 +613,7 @@ RSpec.describe UploadCreator do
<g>
<use id="valid-use" x="123" href="#pathdef" />
</g>
<use id="invalid-use1" href="https://svg.example.com/evil.svg" />
<use id="invalid-use1" xlink:href="https://svg.example.com/evil.svg" />
<use id="invalid-use2" href="data:image/svg+xml;base64,#{b64}" />
</svg>
XML