Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix file upload XSS #534

Merged
merged 1 commit into from Dec 28, 2022
Merged

Fix file upload XSS #534

merged 1 commit into from Dec 28, 2022

Conversation

jmattheis
Copy link
Member

The application image file upload allowed authenticated users to upload malious .html files. Opening such a file like

https://push.gotify.net/image/ViaxrjzNowdgL-xnEfVV-Ggv5.html

would allow the attacker to execute client side scripts.

The application image upload will now only allow the upload of files
with the following extensions: .gif, .png, .jpg and .jpeg.

The application image file upload allowed authenticated users to upload
malious .html files. Opening such a file like

https://push.gotify.net/image/ViaxrjzNowdgL-xnEfVV-Ggv5.html

would allow the attacker to execute client side scripts.

The application image upload will now only allow the upload of files
with the following extensions: .gif, .png, .jpg and .jpeg.
@jmattheis jmattheis requested a review from a team as a code owner December 28, 2022 19:30
@jmattheis jmattheis merged commit 022603d into master Dec 28, 2022
4 checks passed
@jmattheis jmattheis deleted the fix-xss branch December 28, 2022 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant