From da5af2fae091041cca27b24b6f0e69e4a6d0dc60 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Wed, 16 Sep 2020 16:25:20 +0300 Subject: [PATCH] cached_url: block SVG images because of potential javascript inside --- include/functions.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/functions.php b/include/functions.php index eaba61a05..bc66317bb 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1820,8 +1820,11 @@ if ($mimetype == "application/octet-stream") $mimetype = "video/mp4"; + # block SVG because of possible embedded javascript (.....) + $mimetype_blacklist = [ "image/svg+xml" ]; + /* only serve video and images */ - if (!preg_match("/(image|video)\//", $mimetype)) { + if (!preg_match("/(image|video)\//", $mimetype) || in_array($mimetype, $mimetype_blacklist)) { http_response_code(400); header("Content-type: text/plain");