[#30221] - Disable inline JavaScript when directly open SVG files
- Fixed in Code Base
- 19 Aug 2020
- Medium
- Build: staging
- # 30221
- Diff
- zero-24:svg_csp
User tests: Successful: Unsuccessful:
Summary of Changes
Disable inline JavaScript when directly open SVG files.
This PR adds an SVG file only CSP rule to protect against JavaScript code embedded in SVG files.
This issue was inital reported to the JSST by Lee Thao
Testing Instructions
upload an SVG file with this content to the images folder:
<?xml version="1.0" encoding="UTF-8"?>
<svg width="30" height="30" xmlns="http://www.w3.org/2000/svg">
<circle cx="15" cy="15" r="15" onclick="alert('svg inline script executed!')"></circle>
</svg>try to access that image directly in the browser and click on the black circle.
Please notice the message "svg inline script executed!"
Apply the changes in this PR to the htaccess file.
Reload & click the circle again.
There is no message any more.
Actual result BEFORE applying this Pull Request
When accessing SVGs from outside of image tags JavaScript can be executed that could lead to XSS
Expected result AFTER applying this Pull Request
With the proposed changes here we apply a dedicated CSP rule to SVG files that block all inline JS.
Documentation Changes Required
none
Postinstall message
| Status | New | ⇒ | Pending |
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-07-29 20:07:18 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Added:
?
|
||
| Status | Closed | ⇒ | New |
| Closed_Date | 2020-07-29 20:07:18 | ⇒ | |
| Closed_By | HLeithner | ⇒ |
| Status | New | ⇒ | Pending |
Agree can you give me an example for the text to be used?
It should say something like additional hardening for SVG files and that they can acomplish that hardening by adding the mention lines to the htaccess file.
I would use the previous message .htaccess & web.config Security Update as a template for this one
Joomla is now shipped with an additional security rule in the default htaccess.txt and web.config.txt files. This rule will protect users of svg files from potential Cross-Site-Scripting(XSS) vulnerabilities.
The security team recommends to manually ....
I have tested this item
Tested successfully in Beta3.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221.
joomla-cms-bot
- | Category | ⇒ | Administration com_admin SQL Postgresql MS SQL Language & Strings |
I have just implemented an postinstall message and the inline comment:
Thanks
| Labels |
Added:
?
|
||
@viocassel @toivo can you take a look into the postinstall message that has been added here? So we can make this as RTC for 3.9.21 :)
@zero-24 Can be be 100% sure that on Apache the mod_headers is enabled?
If not (what I assume), then we have to wrap the htaccess change into an <IfModule mod_headers.c>, if it is possible to have nested IfModule and FilesMatch. Otherwise, if it is not possible, we have at least to add some comment and extend the postinstall message.
Changes have been pushed.
@zero-24 Now it will not crash if mod_headers is not there => Fine.
But it also will not apply the rule in this case, and so you can upload dangerous svg.
Is there anything we can do about this?
I mean we have that problem with all csp headers we set in htaccess.
Maybe we really should require mod_headers?
And the next question of course is: What do we do with IIS?
And the next question of course is: What do we do with IIS?
As mention in the postinstall i'm not aware of how to do that with web.config
@zero-24 Now it will not crash if mod_headers is not there => Fine.
But it also will not apply the rule in this case, and so you can upload dangerous svg.
Is there anything we can do about this?
I mean we have that problem with all csp headers we set in htaccess.
Maybe we really should require mod_headers?
We just apply server side protection here.
When it is not there but taken care otherwise on the server side this is fine.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30221.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-08-19 18:49:05 |
| Closed_By | ⇒ | HLeithner |
Thanks
This should be accompanied with a postinstallation message