Apache Allura™ / Tickets / #8011 Served SVG images can execute JS

#8011 Served SVG images can execute JS

Milestone: v1.3.2

Status: closed

Owner: Dave Brondsema

Labels: security (34) sf-2 (994)

Component: General

Reviewer: Heith Seewald

Updated: 2015-11-02

Created: 2015-10-26

Creator: Dave Brondsema

Private: No

Since the SVG mime type (image/svg+xml) starts with image/, the AttachmentController lets it be displayed in the browser rather than download. However, SVGs can contain javascript and other insecure components.

https://www.hackinparis.com/slides/hip2k11/09-TheForbiddenImage.pdf
https://www.w3.org/wiki/SVG_Security

Dave Brondsema - 2015-10-26

status: in-progress --> review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-10-26

Reviewer: Heith Seewald
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-10-26

status: review --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-10-26

Nice tests :)
Merged.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-10-26

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-11-02

labels: security, sf-current, sf-2 --> security, sf-2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-12-08

Milestone: unreleased --> v1.3.2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#8011 Served SVG images can execute JS

Related

Discussion