This refers to a discussion earlier today on Glip/Ring Central, where some people (@renekreijveld and Elisa Foltyn @coolcat-creations) mentioned that SVGs could not be uploaded in the Media Manager
SVGs can be uploaded
Some SVGs are blocked.
David Jardin @SniperSister explained that files can be rejected when the sanitizer library considers them harmful.
David Jardin was asking for examples so that the sanitizer library can be improved/corrected.
Here is one: https://fontawesome.com/icons/microphone-lines?s=solid
Besides that issue, it is a bit strange/sad that the Media Manager shows SVGs as if they were totally transparent (whereas the same SVG preview does work on Intro Image or in the Menu Item Image fields)
Labels |
Removed:
?
|
Labels |
Added:
No Code Attached Yet
|
SVGs are safe if used trough a URL. They became suspicious (not necessarily bad) if they re about to be used inline. The thing that SVGs by default are a security threat is a myth. Also for Joomla that is using only PHP on the server side any js/css security flaws are not valid, these will only occur in the client and XSS is quite common in almost all Joomla extensions (even in the core).
these will only occur in the client and XSS is quite common in almost all Joomla extensions
… and if those XSS issues occur in the context of an admin user, they become a real threat to the site itself as the scripts performs actions with the permissions of that admin user. So, XSS is not only an annoying client-side thing, but a real issue.
Apparently it is the comment in the svg which triggers the upload failure:
<!--! Font Awesome Pro 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2022 Fonticons, Inc. -->
So, XSS is not only an annoying client-side thing, but a real issue.
Then you have quite a few real issues
. Let me know if you want me to make a list of all the XSS I've already spotted...
Apparently it is the comment in the svg which triggers the upload failure:
<!--! Font Awesome Pro 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2022 Fonticons, Inc. -->
I can confirm.
Should the security system be corrected? Or can it be really dangerous to use comments like that in an SVG?
Our designer, when she creates original SVG, puts a comment with her copyright, similar to this...
Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly
I tested three svg
Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly
I tested three svg
- fontawesome - failed to upload
- test svg containing xss exploited - uploaded without problem
- test svg with ssrf explot - uploaded without problem
Hmm, sounds like a true and false was mixed up somewhere … upload if bad SVG, block if good SVG.
Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly
I tested three svg
1. fontawesome - failed to upload 2. test svg containing xss exploited - uploaded without problem 3. test svg with ssrf explot - uploaded without problem
Would you mind attaching the svgs here?
I've zipped the 4 samples to avoid any mangling by github.
1, 3 & 4 were found online as test images
2 was downloaded from fontawesome
After adding svg to the supported mime types etc and trying to upload all 4 images the results were
bad1 - uploaded
bad2 - rejected
bad3 - uploaded
bad4 - rejected
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-04-30 23:02:35 |
Closed_By | ⇒ | bembelimen |
(besides, I don't want to reopen a debate if it has already been discussed during days/weeks/months/years, but shouldn't SVG be allowed by default in the Media Manager?)
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37439.