-
-
Notifications
You must be signed in to change notification settings - Fork 220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUGFIX: Check SVG files for malicious code before providing original asset url links #4812
Conversation
</a> | ||
<f:if condition="{assetContainsMaliciousContent}"> | ||
<f:then> | ||
<img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we sure the previewUri
does never point to the potentially malicious content? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, we don't. But the code is just excecuted if you open the file in the browser directly. It's not executed if you embed it in an img-tag.
</a> | ||
<f:if condition="{assetContainsMaliciousContent}"> | ||
<f:then> | ||
<img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we sure the previewUri
does never point to the potentially malicious content? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See above.
Co-authored-by: Karsten Dambekalns <karsten@dambekalns.de>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for taking care :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thanks for taking care!
I was just wondering about the positioning of the error message and what happens if the filename is longer.
Also: Would it make sense to still output the URL of the asset somehow even if it might contain malicious content?
Both definitely no reason to block this!
@bwaidelich Long filename just wrap |
This adds a check in the preview of assets in the media module and checks for malicous content in svgs. If detected, the direct links to the original url get removed from the preview pages and a warning is shown.
Fixes: