security: fix stored XSS vulnerability via SVG attachment

Fixes CVE-2020-15275. An attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Components of this fix: A) add svg mimetype to the XSS endangered types SVG can contain javascript and lead to stored XSS. Seems like the only exception to that is when using it in an <img> tag as src. B) add svg+xml to the browser supported image types This triggers that moin will use the <img> tag for SVGs. <img> does not have the SVG XSS issue. Credits: This vulnerability was discovered by: Catarina Leite from the Checkmarx SCA AppSec team
moinwiki · Nov 8, 2020 · 64e1603 · 64e1603
1 parent d3e2ae0
commit 64e1603
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/MoinMoin/config/__init__.py b/MoinMoin/config/__init__.py
@@ -12,7 +12,7 @@
 from MoinMoin.util.chartypes import *
 
 # List of image types browser do support regulary
-browser_supported_images = ('gif', 'jpg', 'jpeg', 'png', 'bmp', 'ico', )
+browser_supported_images = ('gif', 'jpg', 'jpeg', 'png', 'bmp', 'ico', 'svg+xml')
 
 # Parser to use mimetype text
 parser_text_mimetype = ('plain', 'csv', 'rst', 'docbook', 'latex', 'tex', 'html', 'css',

diff --git a/MoinMoin/config/multiconfig.py b/MoinMoin/config/multiconfig.py
@@ -1143,6 +1143,7 @@ def __init__(self, exprstr):
     ('mimetypes_xss_protect',
      [
        'text/html',
+       'image/svg+xml',
        'application/x-shockwave-flash',
        'application/xhtml+xml',
      ],