Disable inline JavaScript when directly open SVG files

[zero-24]

Summary of Changes

Disable inline JavaScript when directly open SVG files.
This PR adds an SVG file only CSP rule to protect against JavaScript code embedded in SVG files.

This issue was inital reported to the JSST by Lee Thao

Testing Instructions

upload an SVG file with this content to the images folder:

<?xml version="1.0" encoding="UTF-8"?>
<svg width="30" height="30" xmlns="http://www.w3.org/2000/svg">
  <circle cx="15" cy="15" r="15" onclick="alert('svg inline script executed!')"></circle>
</svg>

try to access that image directly in the browser and click on the black circle.
Please notice the message "svg inline script executed!"
Apply the changes in this PR to the htaccess file.
Reload & click the circle again.
There is no message any more.

Actual result BEFORE applying this Pull Request

When accessing SVGs from outside of image tags JavaScript can be executed that could lead to XSS

Expected result AFTER applying this Pull Request

With the proposed changes here we apply a dedicated CSP rule to SVG files that block all inline JS.

Documentation Changes Required

none

cc @HLeithner @SniperSister

Postinstall message

[HLeithner]

Suggested change

	## Disable inline JavaScript when directly open SVG files
	## Disable inline JavaScript when directly open SVG files or embed them with the object-tag

[brianteeman]

opening and embedding please

[brianteeman]

This should be accompanied with a postinstallation message

[zero-24]

Agree can you give me an example for the text to be used?

It should say something like additional hardening for SVG files and that they can acomplish that hardening by adding the mention lines to the htaccess file.

[brianteeman]

I would use the previous message .htaccess & web.config Security Update as a template for this one

Joomla is now shipped with an additional security rule in the default htaccess.txt and web.config.txt files. This rule will protect users of svg files from potential Cross-Site-Scripting(XSS) vulnerabilities.

The security team recommends to manually ....

[toivo]

I have tested this item ✅ successfully on cd4fcbb

Tested successfully in Beta3.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221.}

[viocassel]

I have tested this item ✅ successfully on cd4fcbb

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221.}

[zero-24]

I have just implemented an postinstall message and the inline comment:

Thanks

[zero-24]

@viocassel @toivo can you take a look into the postinstall message that has been added here? So we can make this as RTC for 3.9.21 :)

[richard67]

@zero-24 Can be be 100% sure that on Apache the mod_headers is enabled?

If not (what I assume), then we have to wrap the htaccess change into an <IfModule mod_headers.c>, if it is possible to have nested IfModule and FilesMatch. Otherwise, if it is not possible, we have at least to add some comment and extend the postinstall message.

[richard67]

@zero-24 Would the following work on all supported Apache versions?

<FilesMatch "\.svg$">
	<IfModule mod_headers.c>
		Header always set Content-Security-Policy "script-src 'none'"
	</IfModule>
</FilesMatch>

[zero-24]

@zero-24 Would the following work on all supported Apache versions?

Tbh I don't know, i guess it has to be tried. :D

[richard67]

Tbh I don't know, i guess it has to be tried. :D

@zero-24 If you get me an Apache 2.0 from the German museum in Munich I can try it ;-)

[zero-24]

Changes have been pushed.

[richard67]

@zero-24 Now it will not crash if mod_headers is not there => Fine.

But it also will not apply the rule in this case, and so you can upload dangerous svg.

Is there anything we can do about this?

I mean we have that problem with all csp headers we set in htaccess.

Maybe we really should require mod_headers?

[richard67]

And the next question of course is: What do we do with IIS?

[zero-24]

And the next question of course is: What do we do with IIS?

As mention in the postinstall i'm not aware of how to do that with web.config

[zero-24]

@zero-24 Now it will not crash if mod_headers is not there => Fine.

But it also will not apply the rule in this case, and so you can upload dangerous svg.

Is there anything we can do about this?

I mean we have that problem with all csp headers we set in htaccess.

Maybe we really should require mod_headers?

We just apply server side protection here.

When it is not there but taken care otherwise on the server side this is fine.

[richard67]

I have tested this item ✅ successfully on aba35f1

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221.}

[HLeithner]

Thanks