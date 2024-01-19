You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://berthub.eu/trifecta/i/Tcp2y3TbBzU has a sample of this SVG. Since ed7a10d there is a Content-Security-Policy that blocks such javascript from running on the /i/ link. Thanks! I never knew that SVG could contain javascript which would run...
The upload handler checks that the content type starts with "image/", but this check includes the
image/svg+xmlcontent type, so the following image is accepted:
A non-admin user could trick an admin user into visiting such an image directly (so through its /i/ URL), which would execute the script, perhaps e.g. stealing the admin user's session.
Mitigations could include:
Marking the session cookie HTTP-only or writing a strict Content Security Policy would help defend against similar attacks.
Overview pages that include images through
<img>elements are not affected.
The text was updated successfully, but these errors were encountered: