Skip to content

Commit 12d31c6

Browse files
committed
Don’t allow fetching external files unless explicitly asked for
1 parent 58be378 commit 12d31c6

File tree

3 files changed

+10
-3
lines changed

3 files changed

+10
-3
lines changed

Diff for: cairosvg/__main__.py

+2-2
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None):
4242
help='replace every raster pixel with its complementary color')
4343
parser.add_argument(
4444
'-u', '--unsafe', action='store_true',
45-
help='resolve XML entities and allow very large files '
46-
'(WARNING: vulnerable to XXE attacks and various DoS)')
45+
help='fetch external files, resolve XML entities and allow very large '
46+
'files (WARNING: vulnerable to XXE attacks and various DoS)')
4747
parser.add_argument(
4848
'--output-width', default=None, type=float,
4949
help='desired output width in pixels')

Diff for: cairosvg/parser.py

+6
Original file line numberDiff line numberDiff line change
@@ -390,6 +390,12 @@ def __init__(self, **kwargs):
390390
tree = ElementTree.fromstring(
391391
bytestring, forbid_entities=not unsafe,
392392
forbid_external=not unsafe)
393+
394+
# Don’t allow fetching external files unless explicitly asked for
395+
if 'url_fetcher' not in kwargs and not unsafe:
396+
self.url_fetcher = (
397+
lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
398+
393399
self.xml_tree = tree
394400
root = cssselect2.ElementWrapper.from_xml_root(tree)
395401
style = parent.style if parent else css.parse_stylesheets(self, url)

Diff for: cairosvg/surface.py

+2-1
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,8 @@ def convert(cls, bytestring=None, *, file_obj=None, url=None, dpi=96,
113113
:param parent_width: The width of the parent container in pixels.
114114
:param parent_height: The height of the parent container in pixels.
115115
:param scale: The ouptut scaling factor.
116-
:param unsafe: A boolean allowing XML entities and very large files
116+
:param unsafe: A boolean allowing external file access, XML entities
117+
and very large files
117118
(WARNING: vulnerable to XXE attacks and various DoS).
118119
119120
Specifiy the output with:

0 commit comments

Comments
 (0)