Support SVG avatars - Githubissues

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

https://gitea.com

MIT License

44.08k stars 5.41k forks source link

Support SVG avatars #8707

Open strk opened 4 years ago

strk commented 4 years ago

SVG images are not supported as avatars (cannot be uploaded, reported to "not be an image"). I'm not sure this is a duplicate of #1095 so I'm filing it separately

lunny commented 4 years ago

I think it's the same. Since it cannot be rendered safely, we cannot allow it uploaded.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

stale[bot] commented 4 years ago

This issue has been automatically closed because of inactivity. You can re-open it if needed.

dmolineus commented 4 years ago

The issue still occurs. Would be great if it get reopen.

iFrozenPhoenix commented 2 years ago

@lunny could this issue eventually being resolved by using the method implemented in this pull request https://github.com/go-gitea/gitea/pull/14101?

lunny commented 2 years ago

I don't know if there is a risk for that.

wxiaoguang commented 2 years ago

Some reference:

https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script The SVG script element allows to add scripts to an SVG document.
https://stackoverflow.com/questions/5378559/including-javascript-in-svg Including JavaScript in SVG
https://github.com/pranav77/XSS-using-SVG-file
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

iFrozenPhoenix commented 2 years ago

Thanks for the references. @wxiaoguang I've looked at the code and found out that it is already implemented. But for an unknown reason it doesn't work. So I think this issue should be considered as a bug.

The error message "The uploaded file is not an image." is the locale value for the variable "uploaded_avatar_not_a_image" which is present in the 2 files "routers/web/repo/setting.go" and "routers/web/user/setting/profile.go".

For an uploaded image there is the following content type check.

st := typesniffer.DetectContentType(data)
if !(st.IsImage() && !st.IsSvgImage()) {
    return errors.New(ctx.Tr("settings.uploaded_avatar_not_a_image"))
}

EDIT: I've found the line where it is rejected. It's the second ! in the function above

silverwind commented 1 year ago

If there is a battle-tested SVG sanitizer available in golang, we could reconsider.

iFrozenPhoenix commented 1 year ago

@silverwind I've done a quick search on gh and Google for one, but unfortunately I found just a few simple tag cleaners (removes script tags, so far away from battle tested).

As far as I have seen, the current method for providing security with svgs is by using an adequate content security policy (http header) or (better and) using img tags for displaying the svg image.

Additionally I would suggest that svg uploads must be enabled in the ini config.

I think the gitea admins should be able to decide on their own if they want to use this functionality and eventually have a rest risk of that it can be exploited. For a public instance it can make sense to forbid it, but for private instances the adminis should have the possibility to allow it.