valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cached_url: block SVG images because of potential javascript inside

This commit is contained in:
Andrew Dolgov 2020-09-16 16:25:20 +03:00
parent 33fdde249e
commit da5af2fae0
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
include/functions.php
View File

@ -1820,8 +1820,11 @@
if ($mimetype == "application/octet-stream")
$mimetype = "video/mp4";
# block SVG because of possible embedded javascript (.....)
$mimetype_blacklist = [ "image/svg+xml" ];
/* only serve video and images */
if (!preg_match("/(image|video)\//", $mimetype)) {
if (!preg_match("/(image|video)\//", $mimetype) || in_array($mimetype, $mimetype_blacklist)) {
http_response_code(400);
header("Content-type: text/plain");