Browse Source
fix: validate svg file extension in addition to client mime type
pull/4824/head
NGPixel
2 years ago
No known key found for this signature in database
GPG Key ID: 8FDA2F1757F60D63
1 changed files with
7 additions and
1 deletions
-
server/models/assets.js
|
|
@ -100,7 +100,13 @@ module.exports = class Asset extends Model { |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// Sanitize SVG contents
|
|
|
// Sanitize SVG contents
|
|
|
if (WIKI.config.uploads.scanSVG && opts.mimetype === 'image/svg+xml') { |
|
|
|
|
|
|
|
|
if ( |
|
|
|
|
|
WIKI.config.uploads.scanSVG && |
|
|
|
|
|
( |
|
|
|
|
|
opts.mimetype.toLowerCase().startsWith('image/svg') || |
|
|
|
|
|
opts.ext.toLowerCase() === 'svg' |
|
|
|
|
|
) |
|
|
|
|
|
) { |
|
|
const svgSanitizeJob = await WIKI.scheduler.registerJob({ |
|
|
const svgSanitizeJob = await WIKI.scheduler.registerJob({ |
|
|
name: 'sanitize-svg', |
|
|
name: 'sanitize-svg', |
|
|
immediate: true, |
|
|
immediate: true, |
|
|
|
