summaryrefslogtreecommitdiff
path: root/app/uploaders
diff options
context:
space:
mode:
authorRobert Speicher <robert@gitlab.com>2017-02-13 22:42:46 +0000
committerRobert Speicher <rspeicher@gmail.com>2017-02-15 10:42:13 -0500
commitdd944bf14f4a0fd555db32d5833325fa459d9565 (patch)
tree7822980b0076e2b116933bd1732d31c3e9d160e7 /app/uploaders
parent7e1f7a02dbe3ebb6688005a4d966670bea12beb1 (diff)
downloadgitlab-ce-dd944bf14f4a0fd555db32d5833325fa459d9565.tar.gz
Merge branch 'svg-xss-fix' into 'security'
Fix for XSS vulnerability in SVG attachments See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2059
Diffstat (limited to 'app/uploaders')
-rw-r--r--app/uploaders/file_uploader.rb2
-rw-r--r--app/uploaders/uploader_helper.rb9
2 files changed, 9 insertions, 2 deletions
diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb
index 47bef7cd1e4..23b7318827c 100644
--- a/app/uploaders/file_uploader.rb
+++ b/app/uploaders/file_uploader.rb
@@ -36,7 +36,7 @@ class FileUploader < GitlabUploader
escaped_filename = filename.gsub("]", "\\]")
markdown = "[#{escaped_filename}](#{self.secure_url})"
- markdown.prepend("!") if image_or_video?
+ markdown.prepend("!") if image_or_video? || dangerous?
{
alt: filename,
diff --git a/app/uploaders/uploader_helper.rb b/app/uploaders/uploader_helper.rb
index fbaea2744a3..35fd1ed23f8 100644
--- a/app/uploaders/uploader_helper.rb
+++ b/app/uploaders/uploader_helper.rb
@@ -1,12 +1,15 @@
# Extra methods for uploader
module UploaderHelper
- IMAGE_EXT = %w[png jpg jpeg gif bmp tiff svg]
+ IMAGE_EXT = %w[png jpg jpeg gif bmp tiff]
# We recommend using the .mp4 format over .mov. Videos in .mov format can
# still be used but you really need to make sure they are served with the
# proper MIME type video/mp4 and not video/quicktime or your videos won't play
# on IE >= 9.
# http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html
VIDEO_EXT = %w[mp4 m4v mov webm ogv]
+ # These extension types can contain dangerous code and should only be embedded inline with
+ # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline".
+ DANGEROUS_EXT = %w[svg]
def image?
extension_match?(IMAGE_EXT)
@@ -20,6 +23,10 @@ module UploaderHelper
image? || video?
end
+ def dangerous?
+ extension_match?(DANGEROUS_EXT)
+ end
+
def extension_match?(extensions)
return false unless file