fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-04 17:44:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'security/rve-2026-2'

Browse source
This commit is contained in:
Kijin Sung 2026-02-25 20:39:06 +09:00
commit 74b9533281
4 changed files with 29 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
common/framework/Security.php
View file

@ -38,6 +38,12 @@ class Security
if (!utf8_check($input)) return false; if (!utf8_check($input)) return false;
return Filters\FilenameFilter::clean($input); return Filters\FilenameFilter::clean($input);
// Clean up SVG content to prevent various attacks.
case 'svg':
if (!utf8_check($input)) return false;
$sanitizer = new \enshrined\svgSanitize\Sanitizer();
return strval($sanitizer->sanitize($input));
// Unknown filters. // Unknown filters.
default: default:
throw new Exception('Unknown filter type for sanitize: ' . $type); throw new Exception('Unknown filter type for sanitize: ' . $type);

7
common/framework/filters/FileContentFilter.php
View file

@ -44,7 +44,7 @@ class FileContentFilter
$skip_xml = preg_match('/^(hwpx)$/', $ext); $skip_xml = preg_match('/^(hwpx)$/', $ext);
// Check SVG files. // Check SVG files.
if (($ext === 'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize)) if (($ext === 'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize, $ext))
{ {
fclose($fp); fclose($fp);
return false; return false;
@ -89,11 +89,12 @@ class FileContentFilter
* @param resource $fp * @param resource $fp
* @param int $from * @param int $from
* @param int $to * @param int $to
* @param string $ext
* @return bool * @return bool
*/ */
protected static function _checkSVG($fp, $from, $to) protected static function _checkSVG($fp, $from, $to, $ext)
{ {
if (self::_matchStream('/(?:<|&lt;)(?:script|iframe|foreignObject|object|embed|handler)|javascript:|xlink:href\s*=\s*"(?!data:)/i', $fp, $from, $to)) if (self::_matchStream('/(?:<|&lt;|:)(?:script|iframe|foreignObject|object|embed|handler)|javascript:|(?:\s|:)href\s*=\s*"(?!data:)/i', $fp, $from, $to))
{ {
return false; return false;
} }

10
modules/file/file.controller.php
View file

@ -551,7 +551,7 @@ class FileController extends File
{ {
$download_type = 'inline'; $download_type = 'inline';
} }
if (Context::get('force_download') === 'Y') if ($mime_type === 'image/svg+xml' || Context::get('force_download') === 'Y')
{ {
$download_type = 'attachment'; $download_type = 'attachment';
} }
@ -936,6 +936,14 @@ class FileController extends File
} }
} }
// Sanitize SVG
if(!$manual_insert && !$this->user->isAdmin() && ($file_info['type'] === 'image/svg+xml' || $file_info['extension'] === 'svg'))
{
$dirty_svg = Rhymix\Framework\Storage::read($file_info['tmp_name']);
$clean_svg = Rhymix\Framework\Security::sanitize($dirty_svg, 'svg');
Rhymix\Framework\Storage::write($file_info['tmp_name'], $clean_svg);
}
// Adjust // Adjust
if(!$manual_insert) if(!$manual_insert)
{ {

10
tests/unit/framework/SecurityTest.php
View file

@ -15,6 +15,16 @@ class SecurityTest extends \Codeception\Test\Unit
// Filename (more thorough tests in FilenameFilterTest) // Filename (more thorough tests in FilenameFilterTest)
$this->assertEquals('foo(bar).xls', Rhymix\Framework\Security::sanitize('foo<bar>.xls', 'filename')); $this->assertEquals('foo(bar).xls', Rhymix\Framework\Security::sanitize('foo<bar>.xls', 'filename'));
// SVG #1
$source = '<svg><rect><a href="javascript:alert(0)">Test</a></rect></svg>';
$target = '<?xml version="1.0" encoding="UTF-8"?>' . "\n<svg>\n <rect>\n <a>Test</a>\n </rect>\n</svg>\n";
$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'svg'));
// SVG #2
$source = '<svg><rect></rect><script></script></svg>';
$target = '<?xml version="1.0" encoding="UTF-8"?>' . "\n<svg>\n <rect></rect>\n</svg>\n";
$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'svg'));
} }
public function testEncryption() public function testEncryption()