xss: SVG Image

This addresses a security vulnerability reported by xxx where uploading a malicious SVG, getting the direct file link, adding `s=1` to the end, and visiting the link directly will render the SVG in the browser and execute the malicious Javascript within the SVG. This adds a CSP (Content Security Policy) header with `default-src 'self'` to the display code. When this header is present it prevents all inline Javascript execution thus mitigating the XSS.
osTicket · Jul 26, 2021 · 68dcaa2 · 68dcaa2
1 parent e7ed32c
commit 68dcaa2
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/include/class.file.php b/include/class.file.php
@@ -180,6 +180,7 @@ function display($scale=false) {
         }
         header('Content-Type: '.($this->getType()?$this->getType():'application/octet-stream'));
         header('Content-Length: '.$this->getSize());
+        header("Content-Security-Policy: default-src 'self'");
         $this->sendData();
         exit();
     }