Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix vulnerability: Cannot upload svg with javascript #623
  • Loading branch information
jhthorsen committed Oct 13, 2021
1 parent 51aa38e commit 14a3b1e
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 0 deletions.
3 changes: 3 additions & 0 deletions Changes
@@ -1,5 +1,8 @@
Revision history for perl distribution Convos

6.32 Not Released
- Fix vulnerability: Cannot upload svg with javascript #623

6.31 2021-10-02T06:51:00+0900
- Fix turning channel names with "-" into links
- Have to build a different tag for arm64 (for now) #464
Expand Down
3 changes: 3 additions & 0 deletions lib/Convos/Controller/Files.pm
Expand Up @@ -30,6 +30,9 @@ sub upload {
return $self->reply->errors([[$err, '/file']], 400)
if $err = !$upload ? 'No upload.' : !$upload->filename ? 'Unknown filename.' : '';

return $self->reply->errors([['SVG contains script.', '/file']], 400)
if $upload->asset->contains('<script') != -1;

my %args = (filename => $upload->filename);
$args{id} = $self->param('id') if defined $self->param('id');
$args{write_only} = $self->param('write_only') if defined $self->param('write_only');
Expand Down
9 changes: 9 additions & 0 deletions t/data/js.svg
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 5 additions & 0 deletions t/web-files.t
Expand Up @@ -111,6 +111,11 @@ subtest 'binary' => sub {
->header_is('Content-Type' => 'application/octet-stream');
};

subtest 'svg with javasript' => sub {
$t->post_ok('/api/file', form => {file => {file => 't/data/js.svg'}})->status_is(400)
->json_is('/errors/0/message', 'SVG contains script.');
};

subtest 'write_only' => sub {
$t->post_ok('/api/file',
form => {id => 'irc-localhost-key', file => {file => $asset}, write_only => true})
Expand Down

0 comments on commit 14a3b1e

Please sign in to comment.