From bc68137797514ab974da8268b6d3e8b039f240d7 Mon Sep 17 00:00:00 2001 From: Shish Date: Tue, 20 Feb 2018 21:35:43 +0000 Subject: [PATCH] use svg-sanitize to sanitize SVG files --- composer.json | 1 + composer.lock | 39 ++++++++++++++++++++++++++++++++++++++- ext/handle_svg/main.php | 17 +++++++++++++++-- ext/handle_svg/test.php | 8 ++++++++ tests/alert.svg | 8 ++++++++ 5 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 tests/alert.svg diff --git a/composer.json b/composer.json index 504262e7..ccb454e3 100644 --- a/composer.json +++ b/composer.json @@ -30,6 +30,7 @@ "google/recaptcha" : "~1.1", "dapphp/securimage" : "3.6.*", "shish/libcontext-php" : "dev-master", + "enshrined/svg-sanitize" : "0.8.2", "bower-asset/jquery" : "1.12.3", "bower-asset/jquery-timeago" : "1.5.2", diff --git a/composer.lock b/composer.lock index d1445182..2ca1f51e 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "eb5180245fbf27fb02d9a4018a2ff059", + "content-hash": "fd0ccce172ded2999f5ced0884990541", "packages": [ { "name": "bower-asset/jquery", @@ -152,6 +152,43 @@ ], "time": "2017-11-21T02:29:19+00:00" }, + { + "name": "enshrined/svg-sanitize", + "version": "0.8.2", + "source": { + "type": "git", + "url": "https://github.com/darylldoyle/svg-sanitizer.git", + "reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/432fc4fc7e95b8a866790ba27e35076b9dd96ebe", + "reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe", + "shasum": "" + }, + "require-dev": { + "codeclimate/php-test-reporter": "^0.1.2", + "phpunit/phpunit": "^4.7" + }, + "type": "library", + "autoload": { + "psr-4": { + "enshrined\\svgSanitize\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "GPL-2.0+" + ], + "authors": [ + { + "name": "Daryll Doyle", + "email": "daryll@enshrined.co.uk" + } + ], + "description": "An SVG sanitizer for PHP", + "time": "2017-12-06T15:31:26+00:00" + }, { "name": "flexihash/flexihash", "version": "v2.0.2", diff --git a/ext/handle_svg/main.php b/ext/handle_svg/main.php index 2e58dbd3..2847a092 100644 --- a/ext/handle_svg/main.php +++ b/ext/handle_svg/main.php @@ -6,11 +6,19 @@ * Description: Handle static SVG files. (No thumbnail is generated for SVG files) */ +use enshrined\svgSanitize\Sanitizer; + class SVGFileHandler extends Extension { public function onDataUpload(DataUploadEvent $event) { if($this->supported_ext($event->type) && $this->check_contents($event->tmpname)) { $hash = $event->hash; - move_upload_to_archive($event); + + $sanitizer = new Sanitizer(); + $sanitizer->removeRemoteReferences(true); + $dirtySVG = file_get_contents($event->tmpname); + $cleanSVG = $sanitizer->sanitize($dirtySVG); + file_put_contents(warehouse_path("images", $hash), $cleanSVG); + send_event(new ThumbnailGenerationEvent($event->hash, $event->type)); $image = $this->create_image_from_data(warehouse_path("images", $hash), $event->metadata); if(is_null($image)) { @@ -46,7 +54,12 @@ class SVGFileHandler extends Extension { $page->set_type("image/svg+xml"); $page->set_mode("data"); - $page->set_data(file_get_contents(warehouse_path("images", $hash))); + + $sanitizer = new Sanitizer(); + $sanitizer->removeRemoteReferences(true); + $dirtySVG = file_get_contents(warehouse_path("images", $hash)); + $cleanSVG = $sanitizer->sanitize($dirtySVG); + $page->set_data($cleanSVG); } } diff --git a/ext/handle_svg/test.php b/ext/handle_svg/test.php index aaa2c350..f8aaa96c 100644 --- a/ext/handle_svg/test.php +++ b/ext/handle_svg/test.php @@ -10,5 +10,13 @@ class SVGHandlerTest extends ShimmiePHPUnitTestCase { # FIXME: test that the thumb works # FIXME: test that it gets displayed properly } + + public function testAbuiveSVG() { + $this->log_in_as_user(); + $image_id = $this->post_image("tests/alert.svg", "something"); + $this->get_page("post/view/$image_id"); + $this->get_page("get_svg/$image_id"); + $this->assert_no_content("script"); + } } diff --git a/tests/alert.svg b/tests/alert.svg new file mode 100644 index 00000000..7729c9cd --- /dev/null +++ b/tests/alert.svg @@ -0,0 +1,8 @@ + + + + + +