1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00

Fix XXE DDOs attack when uploading a malicious SVG (ref #152

This commit is contained in:
Starbeamrainbowlabs 2017-12-13 20:20:34 +00:00
parent 582eda24d7
commit 0d4675ea41
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
4 changed files with 8 additions and 2 deletions

View file

@ -6,8 +6,12 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
### Added ### Added
- Added an input box with auto-generated short markdown embed code with copy button to file pages - Added an input box with auto-generated short markdown embed code with copy button to file pages
### Changed
- Added 1920 as a preset image size on file pages
### Fixed ### Fixed
- Fix saving edits to pages with an ampersand in their name (#99) - Fix saving edits to pages with an ampersand in their name (#99)
- [Security] Fixed an authenticated denial-of-service attack when uploading a malicious SVG (ref XXE billion laughs attack, #152)
## v0.15 ## v0.15
_(No changes since v0.15-beta2)_ _(No changes since v0.15-beta2)_

View file

@ -5466,6 +5466,7 @@ function upload_check_svg($temp_filename)
*/ */
function getsvgsize($svgFilename) function getsvgsize($svgFilename)
{ {
libxml_disable_entity_loader(true); // Ref: XXE Billion Laughs Attack, issue #152
$svg = simplexml_load_file($svgFilename); // Load it as XML $svg = simplexml_load_file($svgFilename); // Load it as XML
if($svg === false) if($svg === false)
{ {

View file

@ -122,7 +122,7 @@
"author": "Starbeamrainbowlabs", "author": "Starbeamrainbowlabs",
"description": "Adds the ability to upload files to Pepperminty Wiki. Uploaded files act as pages and have the special 'File\/' prefix.", "description": "Adds the ability to upload files to Pepperminty Wiki. Uploaded files act as pages and have the special 'File\/' prefix.",
"id": "feature-upload", "id": "feature-upload",
"lastupdate": 1513158485, "lastupdate": 1513195855,
"optional": false "optional": false
}, },
{ {

View file

@ -476,7 +476,7 @@ register_module([
if($mime_type == "application/pdf") if($mime_type == "application/pdf")
$fileTypeDisplay = "file"; $fileTypeDisplay = "file";
$preview_sizes = [ 256, 512, 768, 1024, 1440 ]; $preview_sizes = [ 256, 512, 768, 1024, 1440, 1920 ];
$preview_html .= "\t\t\t<figure class='preview'> $preview_html .= "\t\t\t<figure class='preview'>
<img src='$previewUrl' /> <img src='$previewUrl' />
<nav class='image-controls'> <nav class='image-controls'>
@ -622,6 +622,7 @@ function upload_check_svg($temp_filename)
*/ */
function getsvgsize($svgFilename) function getsvgsize($svgFilename)
{ {
libxml_disable_entity_loader(true); // Ref: XXE Billion Laughs Attack, issue #152
$svg = simplexml_load_file($svgFilename); // Load it as XML $svg = simplexml_load_file($svgFilename); // Load it as XML
if($svg === false) if($svg === false)
{ {