diff --git a/composer.json b/composer.json index 73b7cd7a4..1e1121118 100644 --- a/composer.json +++ b/composer.json @@ -29,6 +29,7 @@ "ifixit/php-akismet" : "1.*", "google/recaptcha" : "~1.1", "dapphp/securimage" : "3.6.*", + "enshrined/svg-sanitize" : "0.8.2", "bower-asset/jquery" : "1.12.3", "bower-asset/jquery-timeago" : "1.5.2", diff --git a/composer.lock b/composer.lock index 0be19b198..c7eb59422 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "040335a85a560b3bdd3dcf55490c98a1", + "content-hash": "7f6f5b16df991e848ec468b49c856dea", "packages": [ { "name": "bower-asset/jquery", @@ -91,32 +91,32 @@ "source": { "type": "git", "url": "https://github.com/christianbach/tablesorter.git", - "reference": "774576308e8a25aa9d68b7fe3069b79543992d7a" + "reference": "07e0918254df3c2057d6d8e4653a0769f1881412" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/christianbach/tablesorter/zipball/774576308e8a25aa9d68b7fe3069b79543992d7a", - "reference": "774576308e8a25aa9d68b7fe3069b79543992d7a", + "url": "https://api.github.com/repos/christianbach/tablesorter/zipball/07e0918254df3c2057d6d8e4653a0769f1881412", + "reference": "07e0918254df3c2057d6d8e4653a0769f1881412", "shasum": null }, "type": "bower-asset", "license": [ "MIT,GPL" ], - "time": "2015-12-03T01:22:52+00:00" + "time": "2017-12-20T18:16:21+00:00" }, { "name": "dapphp/securimage", - "version": "3.6.5", + "version": "3.6.6", "source": { "type": "git", "url": "https://github.com/dapphp/securimage.git", - "reference": "3f5a84fd80b1a35d58332896c944142713a7e802" + "reference": "6eea2798f56540fa88356c98f282d6391a72be15" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/dapphp/securimage/zipball/3f5a84fd80b1a35d58332896c944142713a7e802", - "reference": "3f5a84fd80b1a35d58332896c944142713a7e802", + "url": "https://api.github.com/repos/dapphp/securimage/zipball/6eea2798f56540fa88356c98f282d6391a72be15", + "reference": "6eea2798f56540fa88356c98f282d6391a72be15", "shasum": "" }, "require": { @@ -150,7 +150,44 @@ "captcha", "security" ], - "time": "2016-12-04T17:45:57+00:00" + "time": "2017-11-21T02:29:19+00:00" + }, + { + "name": "enshrined/svg-sanitize", + "version": "0.8.2", + "source": { + "type": "git", + "url": "https://github.com/darylldoyle/svg-sanitizer.git", + "reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/432fc4fc7e95b8a866790ba27e35076b9dd96ebe", + "reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe", + "shasum": "" + }, + "require-dev": { + "codeclimate/php-test-reporter": "^0.1.2", + "phpunit/phpunit": "^4.7" + }, + "type": "library", + "autoload": { + "psr-4": { + "enshrined\\svgSanitize\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "GPL-2.0+" + ], + "authors": [ + { + "name": "Daryll Doyle", + "email": "daryll@enshrined.co.uk" + } + ], + "description": "An SVG sanitizer for PHP", + "time": "2017-12-06T15:31:26+00:00" }, { "name": "flexihash/flexihash", @@ -318,37 +355,40 @@ }, { "name": "myclabs/deep-copy", - "version": "1.x-dev", + "version": "1.7.0", "source": { "type": "git", "url": "https://github.com/myclabs/DeepCopy.git", - "reference": "8e6e04167378abf1ddb4d3522d8755c5fd90d102" + "reference": "3b8a3a99ba1f6a3952ac2747d989303cbd6b7a3e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/8e6e04167378abf1ddb4d3522d8755c5fd90d102", - "reference": "8e6e04167378abf1ddb4d3522d8755c5fd90d102", + "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/3b8a3a99ba1f6a3952ac2747d989303cbd6b7a3e", + "reference": "3b8a3a99ba1f6a3952ac2747d989303cbd6b7a3e", "shasum": "" }, "require": { - "php": ">=5.4.0" + "php": "^5.6 || ^7.0" }, "require-dev": { - "doctrine/collections": "1.*", - "phpunit/phpunit": "~4.1" + "doctrine/collections": "^1.0", + "doctrine/common": "^2.6", + "phpunit/phpunit": "^4.1" }, "type": "library", "autoload": { "psr-4": { "DeepCopy\\": "src/DeepCopy/" - } + }, + "files": [ + "src/DeepCopy/deep_copy.php" + ] }, "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "description": "Create deep copies (clones) of your objects", - "homepage": "https://github.com/myclabs/DeepCopy", "keywords": [ "clone", "copy", @@ -356,11 +396,11 @@ "object", "object graph" ], - "time": "2017-04-12T18:52:22+00:00" + "time": "2017-10-19T19:58:43+00:00" }, { "name": "phpdocumentor/reflection-common", - "version": "dev-master", + "version": "1.0.1", "source": { "type": "git", "url": "https://github.com/phpDocumentor/ReflectionCommon.git", @@ -414,22 +454,22 @@ }, { "name": "phpdocumentor/reflection-docblock", - "version": "3.2.2", + "version": "3.3.2", "source": { "type": "git", "url": "https://github.com/phpDocumentor/ReflectionDocBlock.git", - "reference": "4aada1f93c72c35e22fb1383b47fee43b8f1d157" + "reference": "bf329f6c1aadea3299f08ee804682b7c45b326a2" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/4aada1f93c72c35e22fb1383b47fee43b8f1d157", - "reference": "4aada1f93c72c35e22fb1383b47fee43b8f1d157", + "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/bf329f6c1aadea3299f08ee804682b7c45b326a2", + "reference": "bf329f6c1aadea3299f08ee804682b7c45b326a2", "shasum": "" }, "require": { - "php": ">=5.5", - "phpdocumentor/reflection-common": "^1.0@dev", - "phpdocumentor/type-resolver": "^0.3.0", + "php": "^5.6 || ^7.0", + "phpdocumentor/reflection-common": "^1.0.0", + "phpdocumentor/type-resolver": "^0.4.0", "webmozart/assert": "^1.0" }, "require-dev": { @@ -455,20 +495,20 @@ } ], "description": "With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded in a DocBlock.", - "time": "2017-08-08T06:39:58+00:00" + "time": "2017-11-10T14:09:06+00:00" }, { "name": "phpdocumentor/type-resolver", - "version": "0.3.0", + "version": "0.4.0", "source": { "type": "git", "url": "https://github.com/phpDocumentor/TypeResolver.git", - "reference": "fb3933512008d8162b3cdf9e18dba9309b7c3773" + "reference": "9c977708995954784726e25d0cd1dddf4e65b0f7" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpDocumentor/TypeResolver/zipball/fb3933512008d8162b3cdf9e18dba9309b7c3773", - "reference": "fb3933512008d8162b3cdf9e18dba9309b7c3773", + "url": "https://api.github.com/repos/phpDocumentor/TypeResolver/zipball/9c977708995954784726e25d0cd1dddf4e65b0f7", + "reference": "9c977708995954784726e25d0cd1dddf4e65b0f7", "shasum": "" }, "require": { @@ -502,7 +542,7 @@ "email": "me@mikevanriel.com" } ], - "time": "2017-06-03T08:32:36+00:00" + "time": "2017-07-14T14:27:02+00:00" }, { "name": "phpspec/prophecy", @@ -510,12 +550,12 @@ "source": { "type": "git", "url": "https://github.com/phpspec/prophecy.git", - "reference": "c9b8c6088acd19d769d4cc0ffa60a9fe34344bd6" + "reference": "dfd6be44111a7c41c2e884a336cc4f461b3b2401" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpspec/prophecy/zipball/c9b8c6088acd19d769d4cc0ffa60a9fe34344bd6", - "reference": "c9b8c6088acd19d769d4cc0ffa60a9fe34344bd6", + "url": "https://api.github.com/repos/phpspec/prophecy/zipball/dfd6be44111a7c41c2e884a336cc4f461b3b2401", + "reference": "dfd6be44111a7c41c2e884a336cc4f461b3b2401", "shasum": "" }, "require": { @@ -527,7 +567,7 @@ }, "require-dev": { "phpspec/phpspec": "^2.5|^3.2", - "phpunit/phpunit": "^4.8 || ^5.6.5" + "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5" }, "type": "library", "extra": { @@ -565,7 +605,7 @@ "spy", "stub" ], - "time": "2017-09-04T11:05:03+00:00" + "time": "2018-02-19T10:16:54+00:00" }, { "name": "phpunit/php-code-coverage", @@ -632,16 +672,16 @@ }, { "name": "phpunit/php-file-iterator", - "version": "dev-master", + "version": "1.4.x-dev", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/php-file-iterator.git", - "reference": "3cc8f69b3028d0f96a9078e6295d86e9bf019be5" + "reference": "730b01bc3e867237eaac355e06a36b85dd93a8b4" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/3cc8f69b3028d0f96a9078e6295d86e9bf019be5", - "reference": "3cc8f69b3028d0f96a9078e6295d86e9bf019be5", + "url": "https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/730b01bc3e867237eaac355e06a36b85dd93a8b4", + "reference": "730b01bc3e867237eaac355e06a36b85dd93a8b4", "shasum": "" }, "require": { @@ -675,7 +715,7 @@ "filesystem", "iterator" ], - "time": "2016-10-03T07:40:28+00:00" + "time": "2017-11-27T13:52:08+00:00" }, { "name": "phpunit/php-text-template", @@ -720,16 +760,16 @@ }, { "name": "phpunit/php-timer", - "version": "dev-master", + "version": "1.0.x-dev", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/php-timer.git", - "reference": "d107f347d368dd8a384601398280c7c608390ab7" + "reference": "9513098641797ce5f459dbc1de5a54c29b0ec1fb" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/php-timer/zipball/d107f347d368dd8a384601398280c7c608390ab7", - "reference": "d107f347d368dd8a384601398280c7c608390ab7", + "url": "https://api.github.com/repos/sebastianbergmann/php-timer/zipball/9513098641797ce5f459dbc1de5a54c29b0ec1fb", + "reference": "9513098641797ce5f459dbc1de5a54c29b0ec1fb", "shasum": "" }, "require": { @@ -765,7 +805,7 @@ "keywords": [ "timer" ], - "time": "2017-03-07T15:42:04+00:00" + "time": "2018-01-06T05:27:16+00:00" }, { "name": "phpunit/php-token-stream", @@ -773,12 +813,12 @@ "source": { "type": "git", "url": "https://github.com/sebastianbergmann/php-token-stream.git", - "reference": "958103f327daef5dd0bb328dec53e0a9e43cfaf7" + "reference": "58bd196ce8bc49389307b3787934a5117db80fea" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/958103f327daef5dd0bb328dec53e0a9e43cfaf7", - "reference": "958103f327daef5dd0bb328dec53e0a9e43cfaf7", + "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/58bd196ce8bc49389307b3787934a5117db80fea", + "reference": "58bd196ce8bc49389307b3787934a5117db80fea", "shasum": "" }, "require": { @@ -814,7 +854,7 @@ "keywords": [ "tokenizer" ], - "time": "2017-03-07T08:21:50+00:00" + "time": "2017-12-04T15:11:28+00:00" }, { "name": "phpunit/phpunit", @@ -822,12 +862,12 @@ "source": { "type": "git", "url": "https://github.com/sebastianbergmann/phpunit.git", - "reference": "4eba3374803c6c0903145e8940844e6f1d665c07" + "reference": "b7803aeca3ccb99ad0a506fa80b64cd6a56bbc0c" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/4eba3374803c6c0903145e8940844e6f1d665c07", - "reference": "4eba3374803c6c0903145e8940844e6f1d665c07", + "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/b7803aeca3ccb99ad0a506fa80b64cd6a56bbc0c", + "reference": "b7803aeca3ccb99ad0a506fa80b64cd6a56bbc0c", "shasum": "" }, "require": { @@ -851,8 +891,8 @@ "sebastian/global-state": "^1.1", "sebastian/object-enumerator": "~2.0", "sebastian/resource-operations": "~1.0", - "sebastian/version": "~1.0.3|~2.0", - "symfony/yaml": "~2.1|~3.0" + "sebastian/version": "^1.0.6|^2.0.1", + "symfony/yaml": "~2.1|~3.0|~4.0" }, "conflict": { "phpdocumentor/reflection-docblock": "3.0.2" @@ -896,7 +936,7 @@ "testing", "xunit" ], - "time": "2017-09-01T08:38:37+00:00" + "time": "2018-02-01T05:50:59+00:00" }, { "name": "phpunit/phpunit-mock-objects", @@ -1429,7 +1469,7 @@ }, { "name": "sebastian/version", - "version": "dev-master", + "version": "2.0.1", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/version.git", @@ -1476,12 +1516,12 @@ "source": { "type": "git", "url": "https://github.com/symfony/yaml.git", - "reference": "a0e15688972f012156cf1ffa076fe1203bce6bc9" + "reference": "6af42631dcf89e9c616242c900d6c52bd53bd1bb" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/yaml/zipball/a0e15688972f012156cf1ffa076fe1203bce6bc9", - "reference": "a0e15688972f012156cf1ffa076fe1203bce6bc9", + "url": "https://api.github.com/repos/symfony/yaml/zipball/6af42631dcf89e9c616242c900d6c52bd53bd1bb", + "reference": "6af42631dcf89e9c616242c900d6c52bd53bd1bb", "shasum": "" }, "require": { @@ -1526,7 +1566,7 @@ ], "description": "Symfony Yaml Component", "homepage": "https://symfony.com", - "time": "2017-09-17T10:10:45+00:00" + "time": "2018-02-16T09:50:28+00:00" }, { "name": "webmozart/assert", @@ -1534,12 +1574,12 @@ "source": { "type": "git", "url": "https://github.com/webmozart/assert.git", - "reference": "4a8bf11547e139e77b651365113fc12850c43d9a" + "reference": "0df1908962e7a3071564e857d86874dad1ef204a" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/webmozart/assert/zipball/4a8bf11547e139e77b651365113fc12850c43d9a", - "reference": "4a8bf11547e139e77b651365113fc12850c43d9a", + "url": "https://api.github.com/repos/webmozart/assert/zipball/0df1908962e7a3071564e857d86874dad1ef204a", + "reference": "0df1908962e7a3071564e857d86874dad1ef204a", "shasum": "" }, "require": { @@ -1576,7 +1616,7 @@ "check", "validate" ], - "time": "2016-11-23T20:04:41+00:00" + "time": "2018-01-29T19:49:41+00:00" } ], "aliases": [], diff --git a/core/sys_config.inc.php b/core/sys_config.inc.php index cb8d2b4a2..235c7ab0c 100644 --- a/core/sys_config.inc.php +++ b/core/sys_config.inc.php @@ -36,7 +36,7 @@ function _d($name, $value) {if(!defined($name)) define($name, $value);} _d("NICE_URLS", false); // boolean force niceurl mode _d("SEARCH_ACCEL", false); // boolean use search accelerator _d("WH_SPLITS", 1); // int how many levels of subfolders to put in the warehouse -_d("VERSION", '2.6.1'); // string shimmie version +_d("VERSION", '2.6.2'); // string shimmie version _d("TIMEZONE", null); // string timezone _d("CORE_EXTS", "bbcode,user,mail,upload,image,view,handle_pixel,ext_manager,setup,upgrade,handle_404,comment,tag_list,index,tag_edit,alias_editor"); // extensions to always enable _d("EXTRA_EXTS", ""); // string optional extra extensions diff --git a/ext/handle_svg/main.php b/ext/handle_svg/main.php index 2e58dbd35..2847a0928 100644 --- a/ext/handle_svg/main.php +++ b/ext/handle_svg/main.php @@ -6,11 +6,19 @@ * Description: Handle static SVG files. (No thumbnail is generated for SVG files) */ +use enshrined\svgSanitize\Sanitizer; + class SVGFileHandler extends Extension { public function onDataUpload(DataUploadEvent $event) { if($this->supported_ext($event->type) && $this->check_contents($event->tmpname)) { $hash = $event->hash; - move_upload_to_archive($event); + + $sanitizer = new Sanitizer(); + $sanitizer->removeRemoteReferences(true); + $dirtySVG = file_get_contents($event->tmpname); + $cleanSVG = $sanitizer->sanitize($dirtySVG); + file_put_contents(warehouse_path("images", $hash), $cleanSVG); + send_event(new ThumbnailGenerationEvent($event->hash, $event->type)); $image = $this->create_image_from_data(warehouse_path("images", $hash), $event->metadata); if(is_null($image)) { @@ -46,7 +54,12 @@ public function onPageRequest(PageRequestEvent $event) { $page->set_type("image/svg+xml"); $page->set_mode("data"); - $page->set_data(file_get_contents(warehouse_path("images", $hash))); + + $sanitizer = new Sanitizer(); + $sanitizer->removeRemoteReferences(true); + $dirtySVG = file_get_contents(warehouse_path("images", $hash)); + $cleanSVG = $sanitizer->sanitize($dirtySVG); + $page->set_data($cleanSVG); } } diff --git a/ext/handle_svg/test.php b/ext/handle_svg/test.php index aaa2c3507..f8aaa96c8 100644 --- a/ext/handle_svg/test.php +++ b/ext/handle_svg/test.php @@ -10,5 +10,13 @@ public function testSVGHander() { # FIXME: test that the thumb works # FIXME: test that it gets displayed properly } + + public function testAbuiveSVG() { + $this->log_in_as_user(); + $image_id = $this->post_image("tests/alert.svg", "something"); + $this->get_page("post/view/$image_id"); + $this->get_page("get_svg/$image_id"); + $this->assert_no_content("script"); + } } diff --git a/tests/alert.svg b/tests/alert.svg new file mode 100644 index 000000000..7729c9cd6 --- /dev/null +++ b/tests/alert.svg @@ -0,0 +1,8 @@ + + + + + +