SVG images are accepted but not sanitized #38

wandernauta opened this issue Jan 19, 2024 · 1 comment
@wandernauta
The upload handler checks that the content type starts with "image/", but this check includes the image/svg+xml content type, so the following image is accepted:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg" width="500" height="500">
  <circle cx="250" cy="250" r="210" fill="#fff" stroke="#000" stroke-width="8"/>
  <script type="text/javascript">alert(1);</script>
</svg>

A non-admin user could trick an admin user into visiting such an image directly (so through its /i/ URL), which would execute the script, perhaps e.g. stealing the admin user's session.

Mitigations could include:

  • Not accepting SVG at all (like imgur), perhaps instead checking against an allowlist of content types.
  • Accepting SVG images, but only if they do not have script tags or event handlers (like Wikimedia Commons).

Marking the session cookie HTTP-only or writing a strict Content Security Policy would help defend against similar attacks.

Overview pages that include images through <img> elements are not affected.
berthubert added a commit that referenced this issue Jan 19, 2024
@berthubert
Set HttpOnly cookie attribute to partially address #38
c224ad2
@berthubert
Owner

https://berthub.eu/trifecta/i/Tcp2y3TbBzU has a sample of this SVG. Since ed7a10d there is a Content-Security-Policy that blocks such javascript from running on the /i/ link. Thanks! I never knew that SVG could contain javascript which would run...

@guusdk guusdk mentioned this issue Jan 19, 2024
Closed
@wandernauta @berthubert