? ? Pending

User tests: Successful: Unsuccessful:

avatar dgt41
dgt41
7 Jan 2017

Pull Request for Issue # .

Summary of Changes

This PR enables svg uploads and introduces a sanitiser for svg files
Sanitizer source: https://github.com/darylldoyle/svg-sanitizer
It is missing some db needed updates, will do them if it gets approved

  • This SHOULD NOT interfere with the work currently done in the new media manager group
  • The security strike team needs to approve this! so calling @Kubik-Rubik

Testing Instructions

  • Apply patch
  • Edit media configuration and replace the contents of Legal Extensions (File Types) with
bmp,csv,doc,gif,ico,jpg,jpeg,odg,odp,ods,odt,pdf,png,ppt,swf,txt,xcf,xls,svg,BMP,CSV,DOC,GIF,ICO,JPG,JPEG,ODG,ODP,ODS,ODT,PDF,PNG,PPT,SWF,TXT,XCF,XLS,SVG

Try to upload an svg file

Preview

screen shot 2017-01-07 at 14 59 41

Documentation Changes Required

NOTES

  • This PR was created only as a way for the security strike team to evaluate the usage of the SVG sanitisation
  • The SVG support is limiting svgs to certain level, as many features (e.g. scripts) will be removed
  • This PR was not meant to override the work done in the new media manager group, it's more like a bridge to the security team for an evaluation of a sanitisation library that could possible be used by the new media group

I hope that this clears up my intentions here (speed up the process by involving more people)


This change is Reviewable

avatar dgt41 dgt41 - open - 7 Jan 2017
avatar dgt41 dgt41 - change - 7 Jan 2017
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 7 Jan 2017
Category Administration com_media External Library Libraries Repository Unit Tests
avatar dgt41 dgt41 - change - 7 Jan 2017
The description was changed
avatar dgt41 dgt41 - edited - 7 Jan 2017
19b7fb9 7 Jan 2017 avatar dgt41 CS
avatar dgt41 dgt41 - change - 7 Jan 2017
Labels Added: ? ?
avatar Bakual
Bakual - comment - 7 Jan 2017

What are those changes in the autoloading files? Those look wrong to me.

avatar wilsonge
wilsonge - comment - 7 Jan 2017

Dimitris is on an older version of composer :) It's regressing the autoload files back from composer 1.3.x to 1.2.x

avatar dgt41
dgt41 - comment - 7 Jan 2017

I sea ?, will update that in a bit...

avatar joomla-cms-bot joomla-cms-bot - change - 7 Jan 2017
Category Administration com_media External Library Libraries Repository Unit Tests External Library Libraries Repository Unit Tests
avatar dgt41
dgt41 - comment - 7 Jan 2017

Also Joomla is not supporting uploading of webp images...
About webp: https://developers.google.com/speed/webp/

avatar uglyeoin
uglyeoin - comment - 10 Jan 2017

I have tested this item successfully on e4fd085

The SVG uploaded, but I was unable to select it as my intro image or as a normal image, rendering it pointless. I need further instructions to test whether the sanitisation worked.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13499.

avatar uglyeoin uglyeoin - test_item - 10 Jan 2017 - Tested successfully
avatar dgt41
dgt41 - comment - 10 Jan 2017

@uglyeoin one easy way to test the uploaded file is by pointing your browser to the path of the svg e.g. /images/test.svg Then you can inspect the uploaded file with the browser's development tools:
screen shot 2017-01-10 at 17 09 57

avatar dgt41 dgt41 - change - 10 Jan 2017
The description was changed
avatar dgt41 dgt41 - edited - 10 Jan 2017
avatar anibalsanchez
anibalsanchez - comment - 11 Jan 2017

I have tested this item successfully on e4fd085

Test OK


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13499.

avatar anibalsanchez anibalsanchez - test_item - 11 Jan 2017 - Tested successfully
avatar ghazal
ghazal - comment - 17 Jan 2017

I have tested this item successfully on e4fd085

@uglyeoin I guess this is not the purpose of this patch. As the title says, it only implements a way to make safe use of svg format.
Check this also : #4674


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13499.
avatar ghazal
ghazal - comment - 17 Jan 2017

I have tested this item successfully on e4fd085

@uglyeoin I guess this is not the purpose of this patch. As the title says, it only implements a way to make safe use of svg format.
Check this also : #4674


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13499.
avatar ghazal ghazal - test_item - 17 Jan 2017 - Tested successfully
avatar uglyeoin
uglyeoin - comment - 17 Jan 2017

@ghazal I guess so. I have tested it successfully, but I have not tested the security side of things. I guess I need an insecure SVG in order to do so. I assume the other tests took this into account?

avatar uglyeoin
uglyeoin - comment - 17 Jan 2017

@dgt41 perhaps you could supply an SVG for people to test with?

avatar dgt41 dgt41 - change - 13 Mar 2017
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2017-03-13 12:06:43
Closed_By dgt41
avatar dgt41 dgt41 - close - 13 Mar 2017

Add a Comment

Login with GitHub to post a comment