-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable inline JavaScript when directly open SVG files #30221
Conversation
htaccess.txt
Outdated
@@ -30,6 +30,11 @@ Header always set X-Content-Type-Options "nosniff" | |||
Options +FollowSymlinks | |||
Options -Indexes | |||
|
|||
## Disable inline JavaScript when directly open SVG files |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## Disable inline JavaScript when directly open SVG files | |
## Disable inline JavaScript when directly open SVG files or embed them with the object-tag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opening and embedding please
This should be accompanied with a postinstallation message |
Agree can you give me an example for the text to be used? It should say something like additional hardening for SVG files and that they can acomplish that hardening by adding the mention lines to the htaccess file. |
I would use the previous message .htaccess & web.config Security Update as a template for this one
|
I have tested this item ✅ successfully on cd4fcbb This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221. |
I have tested this item ✅ successfully on cd4fcbb This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221. |
Co-authored-by: Brian Teeman <brian@teeman.net>
Co-authored-by: Brian Teeman <brian@teeman.net>
Co-authored-by: Brian Teeman <brian@teeman.net>
@viocassel @toivo can you take a look into the postinstall message that has been added here? So we can make this as RTC for 3.9.21 :) |
@zero-24 Can be be 100% sure that on Apache the mod_headers is enabled? If not (what I assume), then we have to wrap the htaccess change into an |
@zero-24 Would the following work on all supported Apache versions?
|
Tbh I don't know, i guess it has to be tried. :D |
@zero-24 If you get me an Apache 2.0 from the German museum in Munich I can try it ;-) |
@zero-24 Now it will not crash if mod_headers is not there => Fine. But it also will not apply the rule in this case, and so you can upload dangerous svg. Is there anything we can do about this? I mean we have that problem with all csp headers we set in htaccess. Maybe we really should require mod_headers? |
And the next question of course is: What do we do with IIS? |
As mention in the postinstall i'm not aware of how to do that with web.config |
We just apply server side protection here. When it is not there but taken care otherwise on the server side this is fine. |
I have tested this item ✅ successfully on aba35f1 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221. |
Thanks |
Новые константы, вышла 3.9.21 RC joomla/joomla-cms#30221 joomla/joomla-cms#30390 (не вносил изменения, у нас "Менеджер" есть и в других местах) joomla/joomla-cms#30157 joomla/joomla-cms#30110 joomla/joomla-cms#29895 joomla/joomla-cms#30253
* Disable inline JavaScript when directly open SVG files * add postinstall message message * add if module check Co-authored-by: Brian Teeman <brian@teeman.net>
joomla#30221)"" This reverts commit 7f7a448.
Summary of Changes
Disable inline JavaScript when directly open SVG files.
This PR adds an SVG file only CSP rule to protect against JavaScript code embedded in SVG files.
This issue was inital reported to the JSST by Lee Thao
Testing Instructions
upload an SVG file with this content to the images folder:
try to access that image directly in the browser and click on the black circle.
Please notice the message "svg inline script executed!"
Apply the changes in this PR to the htaccess file.
Reload & click the circle again.
There is no message any more.
Actual result BEFORE applying this Pull Request
When accessing SVGs from outside of image tags JavaScript can be executed that could lead to XSS
Expected result AFTER applying this Pull Request
With the proposed changes here we apply a dedicated CSP rule to SVG files that block all inline JS.
Documentation Changes Required
none
cc @HLeithner @SniperSister
Postinstall message