No Code Attached Yet
avatar woluweb
woluweb
31 Mar 2022

Steps to reproduce the issue

This refers to a discussion earlier today on Glip/Ring Central, where some people (@renekreijveld and Elisa Foltyn @coolcat-creations) mentioned that SVGs could not be uploaded in the Media Manager

Expected result

SVGs can be uploaded

Actual result

Some SVGs are blocked.
David Jardin @SniperSister explained that files can be rejected when the sanitizer library considers them harmful.

System information (as much as possible)

David Jardin was asking for examples so that the sanitizer library can be improved/corrected.
Here is one: https://fontawesome.com/icons/microphone-lines?s=solid

Additional comments

Besides that issue, it is a bit strange/sad that the Media Manager shows SVGs as if they were totally transparent (whereas the same SVG preview does work on Intro Image or in the Menu Item Image fields)

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
5.00

avatar woluweb woluweb - open - 31 Mar 2022
avatar woluweb woluweb - change - 31 Mar 2022
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 31 Mar 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 31 Mar 2022
avatar woluweb
woluweb - comment - 31 Mar 2022

(besides, I don't want to reopen a debate if it has already been discussed during days/weeks/months/years, but shouldn't SVG be allowed by default in the Media Manager?)


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37439.

avatar dgrammatiko
dgrammatiko - comment - 31 Mar 2022

SVGs are safe if used trough a URL. They became suspicious (not necessarily bad) if they re about to be used inline. The thing that SVGs by default are a security threat is a myth. Also for Joomla that is using only PHP on the server side any js/css security flaws are not valid, these will only occur in the client and XSS is quite common in almost all Joomla extensions (even in the core).

avatar SniperSister
SniperSister - comment - 31 Mar 2022

these will only occur in the client and XSS is quite common in almost all Joomla extensions

… and if those XSS issues occur in the context of an admin user, they become a real threat to the site itself as the scripts performs actions with the permissions of that admin user. So, XSS is not only an annoying client-side thing, but a real issue.

avatar woluweb
woluweb - comment - 31 Mar 2022

Apparently it is the comment in the svg which triggers the upload failure:
<!--! Font Awesome Pro 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2022 Fonticons, Inc. -->

avatar dgrammatiko
dgrammatiko - comment - 31 Mar 2022

So, XSS is not only an annoying client-side thing, but a real issue.

Then you have quite a few real issues. Let me know if you want me to make a list of all the XSS I've already spotted...

avatar simbus82
simbus82 - comment - 31 Mar 2022

Apparently it is the comment in the svg which triggers the upload failure: <!--! Font Awesome Pro 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2022 Fonticons, Inc. -->

I can confirm.
Should the security system be corrected? Or can it be really dangerous to use comments like that in an SVG?
Our designer, when she creates original SVG, puts a comment with her copyright, similar to this...

avatar brianteeman
brianteeman - comment - 31 Mar 2022

Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly

I tested three svg

  1. fontawesome - failed to upload
  2. test svg containing xss exploited - uploaded without problem
  3. test svg with ssrf explot - uploaded without problem
avatar richard67
richard67 - comment - 31 Mar 2022

Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly

I tested three svg

  1. fontawesome - failed to upload
  2. test svg containing xss exploited - uploaded without problem
  3. test svg with ssrf explot - uploaded without problem

Hmm, sounds like a true and false was mixed up somewhere … upload if bad SVG, block if good SVG.

avatar bembelimen
bembelimen - comment - 27 Apr 2022

Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly

I tested three svg

1. fontawesome - failed to upload

2. test svg containing xss exploited - uploaded without problem

3. test svg with ssrf explot - uploaded without problem

Would you mind attaching the svgs here?

avatar brianteeman
brianteeman - comment - 27 Apr 2022

I've zipped the 4 samples to avoid any mangling by github.
1, 3 & 4 were found online as test images
2 was downloaded from fontawesome

After adding svg to the supported mime types etc and trying to upload all 4 images the results were

bad1 - uploaded
bad2 - rejected
bad3 - uploaded
bad4 - rejected

svg.zip

avatar bembelimen bembelimen - close - 30 Apr 2022
avatar bembelimen
bembelimen - comment - 30 Apr 2022

Please test #37703

avatar bembelimen bembelimen - change - 30 Apr 2022
Status New Closed
Closed_Date 0000-00-00 00:00:00 2022-04-30 23:02:35
Closed_By bembelimen

Add a Comment

Login with GitHub to post a comment