1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-10-31 21:33:00 +00:00

feature-upload: ensure that Javascript in SVG images does not execute

My first time using Content-Security-Policy. Yay!

It's real powerful, but I have yet to find a good generator to help me 
create more complex policies. In this case, the policy allows everything 
by default, but disables all Javascript.

This new Content-Security-Policy header is served for all image 
previews.
This commit is contained in:
Starbeamrainbowlabs 2021-09-21 14:04:42 +01:00
parent f59e68127c
commit 7b6cbbe821
Signed by: sbrl
GPG key ID: 1BE5172E637709C2

View file

@ -313,6 +313,10 @@ register_module([
add_action("preview", function() { add_action("preview", function() {
global $settings, $env, $pageindex, $start_time; global $settings, $env, $pageindex, $start_time;
// Disable Javascript in all SVGs
// Doesn't hurt to serve it for other images too just in case some wacky new format supports Javascript for some crazy reason
header("Content-Security-Policy: default-src *; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'");
if(empty($pageindex->{$env->page}->uploadedfilepath)) if(empty($pageindex->{$env->page}->uploadedfilepath))
{ {
$im = errorimage("The page '$env->page_safe' doesn't have an associated file."); $im = errorimage("The page '$env->page_safe' doesn't have an associated file.");
@ -487,7 +491,7 @@ register_module([
$dimensions = $mime_type !== "image/svg+xml" ? getimagesize($env->storage_prefix . $filepath) : getsvgsize($env->storage_prefix . $filepath); $dimensions = $mime_type !== "image/svg+xml" ? getimagesize($env->storage_prefix . $filepath) : getsvgsize($env->storage_prefix . $filepath);
$fileTypeDisplay = slugify(substr($mime_type, 0, strpos($mime_type, "/"))); $fileTypeDisplay = slugify(substr($mime_type, 0, strpos($mime_type, "/")));
$previewUrl = htmlentities("?action=preview&size=$settings->default_preview_size&page=" . rawurlencode($env->page)); $previewUrl = htmlentities("?action=preview&size=$settings->default_preview_size&page=" . rawurlencode($env->page));
$originalUrl = htmlentities($env->storage_prefix == "./" ? $filepath : "?action=preview&size=original&page=" . rawurlencode($env->page)); $originalUrl = htmlentities($env->storage_prefix == "./" && $mime_type !== "image/svg+xml" ? $filepath : "?action=preview&size=original&page=" . rawurlencode($env->page));
if($mime_type == "application/pdf") if($mime_type == "application/pdf")
$fileTypeDisplay = "pdf"; $fileTypeDisplay = "pdf";
@ -547,6 +551,9 @@ register_module([
$fileInfo["Uploaded by"] = $pageindex->{$env->page}->lasteditor; $fileInfo["Uploaded by"] = $pageindex->{$env->page}->lasteditor;
$fileInfo["Short markdown embed code"] = "<input type='text' class='short-embed-markdown-code' value='![" . htmlentities($fileInfo["Name"], ENT_QUOTES | ENT_HTML5) . "](" . htmlentities($filepath, ENT_QUOTES | ENT_HTML5) . " | right | 350x350)' readonly /> <button class='short-embed-markdown-button'>Copy</button>"; $fileInfo["Short markdown embed code"] = "<input type='text' class='short-embed-markdown-code' value='![" . htmlentities($fileInfo["Name"], ENT_QUOTES | ENT_HTML5) . "](" . htmlentities($filepath, ENT_QUOTES | ENT_HTML5) . " | right | 350x350)' readonly /> <button class='short-embed-markdown-button'>Copy</button>";
if($mime_type == "image/svg+xml")
$fileInfo["Warning"] = "Warning: SVG images may contain Javascript. Although $settings->sitename disables execution of Javascript in SVGs, if you download an SVG and view it in your browser directly the Javascript may execute. <strong>Make sure you trust the source of this SVG before downloading!</strong>";
$preview_html .= "\t\t\t<h2>File Information</h2> $preview_html .= "\t\t\t<h2>File Information</h2>
<table>"; <table>";
foreach ($fileInfo as $displayName => $displayValue) foreach ($fileInfo as $displayName => $displayValue)