BUGFIX: Check SVG files for malicious code before providing original asset url links #4812
Conversation
dlubitz
requested review from
kdambekalns,
kitsunet,
rolandschuetz,
mficzel and
mhsdesign
| </a> | ||
| <f:if condition="{assetContainsMaliciousContent}"> | ||
| <f:then> | ||
| <img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/> |
There was a problem hiding this comment.
Are we sure the previewUri does never point to the potentially malicious content? 🤔
There was a problem hiding this comment.
No, we don't. But the code is just excecuted if you open the file in the browser directly. It's not executed if you embed it in an img-tag.
| </a> | ||
| <f:if condition="{assetContainsMaliciousContent}"> | ||
| <f:then> | ||
| <img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/> |
There was a problem hiding this comment.
Are we sure the previewUri does never point to the potentially malicious content? 🤔
Co-authored-by: Karsten Dambekalns <karsten@dambekalns.de>
There was a problem hiding this comment.
Great, thanks for taking care!
I was just wondering about the positioning of the error message and what happens if the filename is longer.
Also: Would it make sense to still output the URL of the asset somehow even if it might contain malicious content?
Both definitely no reason to block this!
|
@bwaidelich Long filename just wrap
|
This adds a check in the preview of assets in the media module and checks for malicous content in svgs. If detected, the direct links to the original url get removed from the preview pages and a warning is shown.
Fixes: