[BUGFIX] Disallow file preview for image/svg+xml files (!103) · Merge requests · Jérôme Jutteau / Jirafeau

Wouter de Droog requested to merge wouterdedroog/Jirafeau:master into next-release Mar 21, 2022

This PR fixes the issue I've privately disclosed in #284.

EDIT: Since this issue is now fixed I feel comfortable in sharing the details. In Jirafeau versions before 4.4.0, it was possible to exploit the File Preview functionality to execute JavaScript for every user that visited a specifically crafted file preview.

This was possible because image/svg+xml were directly shown to the user. image/svg+xml files can contain executable JavaScript, meaning that a malicious actor could upload an SVG file containing JavaScript. When a user would visit this page, the JavaScript embedded in this file would be executed. This could for example lead to account takeovers or redirect users to phishing pages.

As an example, the following SVG file could be uploaded: test.svg. When a user visits the Jirafeau preview link for this image in versions before 4.4.0, an alert box will open with the current URL.

Edited Apr 30, 2022 by Wouter de Droog

Admin message

[BUGFIX] Disallow file preview for image/svg+xml files

Merge request reports