Closed pierstitus closed 2 years ago
Good point, allowing svg is a must have! Feel free to do a PR (you can even do this with the Github editor).
I love SVGs but they also bring wide range of vulnerabilities. When inserted as an image, the contained scripts will not be executed but once the image is uploaded on the server, user just needs to be convinced to visit the link for havoc to be wrought.
With great features come vulnerabilities, but that should be decided by the forum admin by allowing the svg mimetype or not. It would be nice though to be able to choose whether images are inserted as images or as links.
I agree that admins should have say in this but if flagrow/upload
is striving to be a secure software, it should
Either way, security minefields should not be enabled by default.
@jtojnar thanks for that link I think it would make for a great optional add-on feature. A solution for now would be to add a settings input field that would allow configuration of mime types being shown as images. Wouldn't that solve this all together?
@Luceos Showing the SVGs as images (via img
tag) is actually safe. The issue occurs when the uploaded file is visited directly.
I've merged the PR but adding SVG sanitizer makes sense.
maybe it can be possible to force some specified extension (like svg) be download via php with Content-Disposition: attachment
header. it might be aslo possible achieve same thing using .htaccess
for Apache.
Resolved in 1.2.3
Uploading SVG images fails when they are opened by the image processor. I didn't test it but looking at the code I guess also uploading any image file other that png, jpeg or gif would fail.
I think the following lines should be changed:
src/Listeners/ProcessesImages.php:
src/Processors/ImageProcessor.php: