use svg-sanitize to sanitize SVG files
This commit is contained in:
Shish
parent
936ceac2ce
commit
60d693d323
5 changed files with 166 additions and 3 deletions
|
|
@ -29,6 +29,7 @@
|
|||
"ifixit/php-akismet" : "1.*",
|
||||
"google/recaptcha" : "~1.1",
|
||||
"dapphp/securimage" : "3.6.*",
|
||||
"enshrined/svg-sanitize" : "0.8.2",
|
||||
|
||||
"bower-asset/jquery" : "1.12.3",
|
||||
"bower-asset/jquery-timeago" : "1.5.2",
|
||||
|
|
|
|||
135
composer.lock
generated
135
composer.lock
generated
|
|
@ -4,7 +4,7 @@
|
|||
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
|
||||
"This file is @generated automatically"
|
||||
],
|
||||
"content-hash": "040335a85a560b3bdd3dcf55490c98a1",
|
||||
"content-hash": "7f6f5b16df991e848ec468b49c856dea",
|
||||
"packages": [
|
||||
{
|
||||
"name": "bower-asset/jquery",
|
||||
|
|
@ -152,6 +152,43 @@
|
|||
],
|
||||
"time": "2017-11-21T02:29:19+00:00"
|
||||
},
|
||||
{
|
||||
"name": "enshrined/svg-sanitize",
|
||||
"version": "0.8.2",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
|
||||
"reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/432fc4fc7e95b8a866790ba27e35076b9dd96ebe",
|
||||
"reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe",
|
||||
"shasum": ""
|
||||
},
|
||||
"require-dev": {
|
||||
"codeclimate/php-test-reporter": "^0.1.2",
|
||||
"phpunit/phpunit": "^4.7"
|
||||
},
|
||||
"type": "library",
|
||||
"autoload": {
|
||||
"psr-4": {
|
||||
"enshrined\\svgSanitize\\": "src"
|
||||
}
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"GPL-2.0+"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Daryll Doyle",
|
||||
"email": "daryll@enshrined.co.uk"
|
||||
}
|
||||
],
|
||||
"description": "An SVG sanitizer for PHP",
|
||||
"time": "2017-12-06T15:31:26+00:00"
|
||||
},
|
||||
{
|
||||
"name": "flexihash/flexihash",
|
||||
"version": "v2.0.2",
|
||||
|
|
@ -633,6 +670,53 @@
|
|||
],
|
||||
"time": "2017-04-02T07:44:40+00:00"
|
||||
},
|
||||
{
|
||||
"name": "phpunit/php-file-iterator",
|
||||
"version": "1.4.x-dev",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/sebastianbergmann/php-file-iterator.git",
|
||||
"reference": "730b01bc3e867237eaac355e06a36b85dd93a8b4"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/730b01bc3e867237eaac355e06a36b85dd93a8b4",
|
||||
"reference": "730b01bc3e867237eaac355e06a36b85dd93a8b4",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"php": ">=5.3.3"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
"branch-alias": {
|
||||
"dev-master": "1.4.x-dev"
|
||||
}
|
||||
},
|
||||
"autoload": {
|
||||
"classmap": [
|
||||
"src/"
|
||||
]
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"BSD-3-Clause"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Sebastian Bergmann",
|
||||
"email": "sb@sebastian-bergmann.de",
|
||||
"role": "lead"
|
||||
}
|
||||
],
|
||||
"description": "FilterIterator implementation that filters files based on a list of suffixes.",
|
||||
"homepage": "https://github.com/sebastianbergmann/php-file-iterator/",
|
||||
"keywords": [
|
||||
"filesystem",
|
||||
"iterator"
|
||||
],
|
||||
"time": "2017-11-27T13:52:08+00:00"
|
||||
},
|
||||
{
|
||||
"name": "phpunit/php-text-template",
|
||||
"version": "1.2.1",
|
||||
|
|
@ -674,6 +758,55 @@
|
|||
],
|
||||
"time": "2015-06-21T13:50:34+00:00"
|
||||
},
|
||||
{
|
||||
"name": "phpunit/php-timer",
|
||||
"version": "1.0.x-dev",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/sebastianbergmann/php-timer.git",
|
||||
"reference": "9513098641797ce5f459dbc1de5a54c29b0ec1fb"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/sebastianbergmann/php-timer/zipball/9513098641797ce5f459dbc1de5a54c29b0ec1fb",
|
||||
"reference": "9513098641797ce5f459dbc1de5a54c29b0ec1fb",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"php": "^5.3.3 || ^7.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.0"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
"branch-alias": {
|
||||
"dev-master": "1.0-dev"
|
||||
}
|
||||
},
|
||||
"autoload": {
|
||||
"classmap": [
|
||||
"src/"
|
||||
]
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"BSD-3-Clause"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Sebastian Bergmann",
|
||||
"email": "sb@sebastian-bergmann.de",
|
||||
"role": "lead"
|
||||
}
|
||||
],
|
||||
"description": "Utility class for timing",
|
||||
"homepage": "https://github.com/sebastianbergmann/php-timer/",
|
||||
"keywords": [
|
||||
"timer"
|
||||
],
|
||||
"time": "2018-01-06T05:27:16+00:00"
|
||||
},
|
||||
{
|
||||
"name": "phpunit/php-token-stream",
|
||||
"version": "1.4.x-dev",
|
||||
|
|
|
|||
|
|
@ -6,11 +6,19 @@
|
|||
* Description: Handle static SVG files. (No thumbnail is generated for SVG files)
|
||||
*/
|
||||
|
||||
use enshrined\svgSanitize\Sanitizer;
|
||||
|
||||
class SVGFileHandler extends Extension {
|
||||
public function onDataUpload(DataUploadEvent $event) {
|
||||
if($this->supported_ext($event->type) && $this->check_contents($event->tmpname)) {
|
||||
$hash = $event->hash;
|
||||
move_upload_to_archive($event);
|
||||
|
||||
$sanitizer = new Sanitizer();
|
||||
$sanitizer->removeRemoteReferences(true);
|
||||
$dirtySVG = file_get_contents($event->tmpname);
|
||||
$cleanSVG = $sanitizer->sanitize($dirtySVG);
|
||||
file_put_contents(warehouse_path("images", $hash), $cleanSVG);
|
||||
|
||||
send_event(new ThumbnailGenerationEvent($event->hash, $event->type));
|
||||
$image = $this->create_image_from_data(warehouse_path("images", $hash), $event->metadata);
|
||||
if(is_null($image)) {
|
||||
|
|
@ -46,7 +54,12 @@ class SVGFileHandler extends Extension {
|
|||
|
||||
$page->set_type("image/svg+xml");
|
||||
$page->set_mode("data");
|
||||
$page->set_data(file_get_contents(warehouse_path("images", $hash)));
|
||||
|
||||
$sanitizer = new Sanitizer();
|
||||
$sanitizer->removeRemoteReferences(true);
|
||||
$dirtySVG = file_get_contents(warehouse_path("images", $hash));
|
||||
$cleanSVG = $sanitizer->sanitize($dirtySVG);
|
||||
$page->set_data($cleanSVG);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,5 +10,13 @@ class SVGHandlerTest extends ShimmiePHPUnitTestCase {
|
|||
# FIXME: test that the thumb works
|
||||
# FIXME: test that it gets displayed properly
|
||||
}
|
||||
|
||||
public function testAbuiveSVG() {
|
||||
$this->log_in_as_user();
|
||||
$image_id = $this->post_image("tests/alert.svg", "something");
|
||||
$this->get_page("post/view/$image_id");
|
||||
$this->get_page("get_svg/$image_id");
|
||||
$this->assert_no_content("script");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
8
tests/alert.svg
Normal file
8
tests/alert.svg
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" width="100" height="100">
|
||||
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
||||
<script type="text/javascript">
|
||||
alert(document.location);
|
||||
</script>
|
||||
</svg>
|
||||
|
After Width: | Height: | Size: 411 B |
Reference in a new issue