fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-02 01:52:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'security/rve-2026-2'

Browse source
This commit is contained in:
Kijin Sung 2026-02-25 20:39:06 +09:00
commit 74b9533281
4 changed files with 29 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
common/framework/Security.php
View file

@ -38,6 +38,12 @@ class Security
if (!utf8_check($input)) return false;
return Filters\FilenameFilter::clean($input);
// Clean up SVG content to prevent various attacks.
case 'svg':
if (!utf8_check($input)) return false;
$sanitizer = new \enshrined\svgSanitize\Sanitizer();
return strval($sanitizer->sanitize($input));
// Unknown filters.
default:
throw new Exception('Unknown filter type for sanitize: ' . $type);

7
common/framework/filters/FileContentFilter.php
View file

@ -44,7 +44,7 @@ class FileContentFilter
$skip_xml = preg_match('/^(hwpx)$/', $ext);
// Check SVG files.
if (($ext === 'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize))
if (($ext === 'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize, $ext))
{
fclose($fp);
return false;
@ -89,11 +89,12 @@ class FileContentFilter
* @param resource $fp
* @param int $from
* @param int $to
* @param string $ext
* @return bool
*/
protected static function _checkSVG($fp, $from, $to)
protected static function _checkSVG($fp, $from, $to, $ext)
{
if (self::_matchStream('/(?:<|&lt;)(?:script|iframe|foreignObject|object|embed|handler)|javascript:|xlink:href\s*=\s*"(?!data:)/i', $fp, $from, $to))
if (self::_matchStream('/(?:<|&lt;|:)(?:script|iframe|foreignObject|object|embed|handler)|javascript:|(?:\s|:)href\s*=\s*"(?!data:)/i', $fp, $from, $to))
{
return false;
}