#8011 Served SVG images can execute JS

v1.3.2
closed
General
Heith Seewald
2015-11-02
2015-10-26
No

Since the SVG mime type (image/svg+xml) starts with image/, the AttachmentController lets it be displayed in the browser rather than download. However, SVGs can contain javascript and other insecure components.

https://www.hackinparis.com/slides/hip2k11/09-TheForbiddenImage.pdf
https://www.w3.org/wiki/SVG_Security

Related

Git: 578d9d6b6d19cd663634876a

Discussion

  • Dave Brondsema

    Dave Brondsema - 2015-10-26
    • status: in-progress --> review
     
  • Heith Seewald

    Heith Seewald - 2015-10-26
    • Reviewer: Heith Seewald
     
  • Heith Seewald

    Heith Seewald - 2015-10-26
    • status: review --> closed
     
  • Heith Seewald

    Heith Seewald - 2015-10-26

    Nice tests :)
    Merged.

     
  • Dave Brondsema

    Dave Brondsema - 2015-10-26
    • private: Yes --> No
     
  • Dave Brondsema

    Dave Brondsema - 2015-11-02
    • labels: security, sf-current, sf-2 --> security, sf-2
     
  • Dave Brondsema

    Dave Brondsema - 2015-12-08
    • Milestone: unreleased --> v1.3.2
     

Log in to post a comment.