Merge branch 'security/rve-2026-2'

2026-04-02 01:52:10 +09:00 · 2026-02-25 20:39:06 +09:00 · 2026-02-25 20:39:06 +09:00 · 74b9533281
commit 74b9533281
parent bcda659add e4c60b56d4
4 changed files with 29 additions and 4 deletions
--- a/common/framework/Security.php
+++ b/common/framework/Security.php
@ -38,6 +38,12 @@ class Security
 				if (!utf8_check($input)) return false;
 				return Filters\FilenameFilter::clean($input);

+			// Clean up SVG content to prevent various attacks.
+			case 'svg':
+				if (!utf8_check($input)) return false;
+				$sanitizer = new \enshrined\svgSanitize\Sanitizer();
+				return strval($sanitizer->sanitize($input));
+
 			// Unknown filters.
 			default:
 				throw new Exception('Unknown filter type for sanitize: ' . $type);
--- a/common/framework/filters/FileContentFilter.php
+++ b/common/framework/filters/FileContentFilter.php
@ -44,7 +44,7 @@ class FileContentFilter
 		$skip_xml = preg_match('/^(hwpx)$/', $ext);

 		// Check SVG files.
-		if (($ext === 'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize))
+		if (($ext === 'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize, $ext))
 		{
 			fclose($fp);
 			return false;
@ -89,11 +89,12 @@ class FileContentFilter
 	 * @param resource $fp
 	 * @param int $from
 	 * @param int $to
+	 * @param string $ext
 	 * @return bool
 	 */
-	protected static function _checkSVG($fp, $from, $to)
+	protected static function _checkSVG($fp, $from, $to, $ext)
 	{
-		if (self::_matchStream('/(?:<|&lt;)(?:script|iframe|foreignObject|object|embed|handler)|javascript:|xlink:href\s*=\s*"(?!data:)/i', $fp, $from, $to))
+		if (self::_matchStream('/(?:<|&lt;|:)(?:script|iframe|foreignObject|object|embed|handler)|javascript:|(?:\s|:)href\s*=\s*"(?!data:)/i', $fp, $from, $to))
 		{
 			return false;
 		}
--- a/modules/file/file.controller.php
+++ b/modules/file/file.controller.php
@ -551,7 +551,7 @@ class FileController extends File
 		{
 			$download_type = 'inline';
 		}
-		if (Context::get('force_download') === 'Y')
+		if ($mime_type === 'image/svg+xml' || Context::get('force_download') === 'Y')
 		{
 			$download_type = 'attachment';
 		}
@ -936,6 +936,14 @@ class FileController extends File
 			}
 		}

+		// Sanitize SVG
+		if(!$manual_insert && !$this->user->isAdmin() && ($file_info['type'] === 'image/svg+xml' || $file_info['extension'] === 'svg'))
+		{
+			$dirty_svg = Rhymix\Framework\Storage::read($file_info['tmp_name']);
+			$clean_svg = Rhymix\Framework\Security::sanitize($dirty_svg, 'svg');
+			Rhymix\Framework\Storage::write($file_info['tmp_name'], $clean_svg);
+		}
+
 		// Adjust
 		if(!$manual_insert)
 		{
--- a/tests/unit/framework/SecurityTest.php
+++ b/tests/unit/framework/SecurityTest.php
@ -15,6 +15,16 @@ class SecurityTest extends \Codeception\Test\Unit

 		// Filename (more thorough tests in FilenameFilterTest)
 		$this->assertEquals('foo(bar).xls', Rhymix\Framework\Security::sanitize('foo<bar>.xls', 'filename'));
+
+		// SVG #1
+		$source = '<svg><rect><a href="javascript:alert(0)">Test</a></rect></svg>';
+		$target = '<?xml version="1.0" encoding="UTF-8"?>' . "\n<svg>\n  <rect>\n    <a>Test</a>\n  </rect>\n</svg>\n";
+		$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'svg'));
+
+		// SVG #2
+		$source = '<svg><rect></rect><script></script></svg>';
+		$target = '<?xml version="1.0" encoding="UTF-8"?>' . "\n<svg>\n  <rect></rect>\n</svg>\n";
+		$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'svg'));
 	}

 	public function testEncryption()