1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-12-22 13:45:02 +00:00

Fix XXE DDOs attack when uploading a malicious SVG (ref #152

This commit is contained in:
Starbeamrainbowlabs 2017-12-13 20:20:34 +00:00
parent 582eda24d7
commit 0d4675ea41
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
4 changed files with 8 additions and 2 deletions

View file

@ -6,8 +6,12 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
### Added
- Added an input box with auto-generated short markdown embed code with copy button to file pages
### Changed
- Added 1920 as a preset image size on file pages
### Fixed
- Fix saving edits to pages with an ampersand in their name (#99)
- [Security] Fixed an authenticated denial-of-service attack when uploading a malicious SVG (ref XXE billion laughs attack, #152)
## v0.15
_(No changes since v0.15-beta2)_

View file

@ -5466,6 +5466,7 @@ function upload_check_svg($temp_filename)
*/
function getsvgsize($svgFilename)
{
libxml_disable_entity_loader(true); // Ref: XXE Billion Laughs Attack, issue #152
$svg = simplexml_load_file($svgFilename); // Load it as XML
if($svg === false)
{

View file

@ -122,7 +122,7 @@
"author": "Starbeamrainbowlabs",
"description": "Adds the ability to upload files to Pepperminty Wiki. Uploaded files act as pages and have the special 'File\/' prefix.",
"id": "feature-upload",
"lastupdate": 1513158485,
"lastupdate": 1513195855,
"optional": false
},
{

View file

@ -476,7 +476,7 @@ register_module([
if($mime_type == "application/pdf")
$fileTypeDisplay = "file";
$preview_sizes = [ 256, 512, 768, 1024, 1440 ];
$preview_sizes = [ 256, 512, 768, 1024, 1440, 1920 ];
$preview_html .= "\t\t\t<figure class='preview'>
<img src='$previewUrl' />
<nav class='image-controls'>
@ -622,6 +622,7 @@ function upload_check_svg($temp_filename)
*/
function getsvgsize($svgFilename)
{
libxml_disable_entity_loader(true); // Ref: XXE Billion Laughs Attack, issue #152
$svg = simplexml_load_file($svgFilename); // Load it as XML
if($svg === false)
{