diff --git a/composer.json b/composer.json index 73b7cd7a..1e112111 100644 --- a/composer.json +++ b/composer.json @@ -29,6 +29,7 @@ "ifixit/php-akismet" : "1.*", "google/recaptcha" : "~1.1", "dapphp/securimage" : "3.6.*", + "enshrined/svg-sanitize" : "0.8.2", "bower-asset/jquery" : "1.12.3", "bower-asset/jquery-timeago" : "1.5.2", diff --git a/composer.lock b/composer.lock index ac815b70..c7eb5942 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "040335a85a560b3bdd3dcf55490c98a1", + "content-hash": "7f6f5b16df991e848ec468b49c856dea", "packages": [ { "name": "bower-asset/jquery", @@ -152,6 +152,43 @@ ], "time": "2017-11-21T02:29:19+00:00" }, + { + "name": "enshrined/svg-sanitize", + "version": "0.8.2", + "source": { + "type": "git", + "url": "https://github.com/darylldoyle/svg-sanitizer.git", + "reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/432fc4fc7e95b8a866790ba27e35076b9dd96ebe", + "reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe", + "shasum": "" + }, + "require-dev": { + "codeclimate/php-test-reporter": "^0.1.2", + "phpunit/phpunit": "^4.7" + }, + "type": "library", + "autoload": { + "psr-4": { + "enshrined\\svgSanitize\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "GPL-2.0+" + ], + "authors": [ + { + "name": "Daryll Doyle", + "email": "daryll@enshrined.co.uk" + } + ], + "description": "An SVG sanitizer for PHP", + "time": "2017-12-06T15:31:26+00:00" + }, { "name": "flexihash/flexihash", "version": "v2.0.2", @@ -633,6 +670,53 @@ ], "time": "2017-04-02T07:44:40+00:00" }, + { + "name": "phpunit/php-file-iterator", + "version": "1.4.x-dev", + "source": { + "type": "git", + "url": "https://github.com/sebastianbergmann/php-file-iterator.git", + "reference": "730b01bc3e867237eaac355e06a36b85dd93a8b4" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/730b01bc3e867237eaac355e06a36b85dd93a8b4", + "reference": "730b01bc3e867237eaac355e06a36b85dd93a8b4", + "shasum": "" + }, + "require": { + "php": ">=5.3.3" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.4.x-dev" + } + }, + "autoload": { + "classmap": [ + "src/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "authors": [ + { + "name": "Sebastian Bergmann", + "email": "sb@sebastian-bergmann.de", + "role": "lead" + } + ], + "description": "FilterIterator implementation that filters files based on a list of suffixes.", + "homepage": "https://github.com/sebastianbergmann/php-file-iterator/", + "keywords": [ + "filesystem", + "iterator" + ], + "time": "2017-11-27T13:52:08+00:00" + }, { "name": "phpunit/php-text-template", "version": "1.2.1", @@ -674,6 +758,55 @@ ], "time": "2015-06-21T13:50:34+00:00" }, + { + "name": "phpunit/php-timer", + "version": "1.0.x-dev", + "source": { + "type": "git", + "url": "https://github.com/sebastianbergmann/php-timer.git", + "reference": "9513098641797ce5f459dbc1de5a54c29b0ec1fb" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/sebastianbergmann/php-timer/zipball/9513098641797ce5f459dbc1de5a54c29b0ec1fb", + "reference": "9513098641797ce5f459dbc1de5a54c29b0ec1fb", + "shasum": "" + }, + "require": { + "php": "^5.3.3 || ^7.0" + }, + "require-dev": { + "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.0-dev" + } + }, + "autoload": { + "classmap": [ + "src/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "authors": [ + { + "name": "Sebastian Bergmann", + "email": "sb@sebastian-bergmann.de", + "role": "lead" + } + ], + "description": "Utility class for timing", + "homepage": "https://github.com/sebastianbergmann/php-timer/", + "keywords": [ + "timer" + ], + "time": "2018-01-06T05:27:16+00:00" + }, { "name": "phpunit/php-token-stream", "version": "1.4.x-dev", diff --git a/ext/handle_svg/main.php b/ext/handle_svg/main.php index 2e58dbd3..2847a092 100644 --- a/ext/handle_svg/main.php +++ b/ext/handle_svg/main.php @@ -6,11 +6,19 @@ * Description: Handle static SVG files. (No thumbnail is generated for SVG files) */ +use enshrined\svgSanitize\Sanitizer; + class SVGFileHandler extends Extension { public function onDataUpload(DataUploadEvent $event) { if($this->supported_ext($event->type) && $this->check_contents($event->tmpname)) { $hash = $event->hash; - move_upload_to_archive($event); + + $sanitizer = new Sanitizer(); + $sanitizer->removeRemoteReferences(true); + $dirtySVG = file_get_contents($event->tmpname); + $cleanSVG = $sanitizer->sanitize($dirtySVG); + file_put_contents(warehouse_path("images", $hash), $cleanSVG); + send_event(new ThumbnailGenerationEvent($event->hash, $event->type)); $image = $this->create_image_from_data(warehouse_path("images", $hash), $event->metadata); if(is_null($image)) { @@ -46,7 +54,12 @@ class SVGFileHandler extends Extension { $page->set_type("image/svg+xml"); $page->set_mode("data"); - $page->set_data(file_get_contents(warehouse_path("images", $hash))); + + $sanitizer = new Sanitizer(); + $sanitizer->removeRemoteReferences(true); + $dirtySVG = file_get_contents(warehouse_path("images", $hash)); + $cleanSVG = $sanitizer->sanitize($dirtySVG); + $page->set_data($cleanSVG); } } diff --git a/ext/handle_svg/test.php b/ext/handle_svg/test.php index aaa2c350..f8aaa96c 100644 --- a/ext/handle_svg/test.php +++ b/ext/handle_svg/test.php @@ -10,5 +10,13 @@ class SVGHandlerTest extends ShimmiePHPUnitTestCase { # FIXME: test that the thumb works # FIXME: test that it gets displayed properly } + + public function testAbuiveSVG() { + $this->log_in_as_user(); + $image_id = $this->post_image("tests/alert.svg", "something"); + $this->get_page("post/view/$image_id"); + $this->get_page("get_svg/$image_id"); + $this->assert_no_content("script"); + } } diff --git a/tests/alert.svg b/tests/alert.svg new file mode 100644 index 00000000..7729c9cd --- /dev/null +++ b/tests/alert.svg @@ -0,0 +1,8 @@ + + + + + +