opensource/filestash
1
0
Fork 0
mirror of https://github.com/mickael-kerjean/filestash.git synced 2025-10-29 17:18:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

feature (plg_security_svg): admin can decide upon viewing svg documents

Browse Source
This commit is contained in:
=
2019-04-22 18:24:32 +10:00
parent c5db893a5e
commit b2d6f5f1e4
3 changed files with 48 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Makefile
View File

@ -17,3 +17,4 @@ build_plugins:
go build -buildmode=plugin -o ./dist/data/plugin/backend_mysql.so server/plugin/plg_backend_mysql/index.go
go build -buildmode=plugin -o dist/data/plugin/backend_backblaze.so server/plugin/plg_backend_backblaze/index.go
go build -buildmode=plugin -o dist/data/plugin/security_scanner.so server/plugin/plg_security_scanner/index.go
go build -buildmode=plugin -o dist/data/plugin/security_svg.so server/plugin/plg_security_svg/index.go

4
server/ctrl/files.go
View File

@ -235,7 +235,9 @@ func FileCat(ctx App, res http.ResponseWriter, req *http.Request) {
header.Set("Content-Length", fmt.Sprintf("%d", contentLength))
}
header.Set("Content-Type", GetMimeType(req.URL.Query().Get("path")))
header.Set("Content-Security-Policy", "script-src 'none'")
if header.Get("Content-Security-Policy") == "" {
header.Set("Content-Security-Policy", "default-src 'none'; img-src 'self'; style-src 'unsafe-inline'")
}
header.Set("Accept-Ranges", "bytes")
// Send data to the client

44
server/plugin/plg_security_svg/index.go Normal file
View File

@ -0,0 +1,44 @@
package main
import (
. "github.com/mickael-kerjean/filestash/server/common"
"io"
"io/ioutil"
"net/http"
"regexp"
)
func Init(conf *Configuration) {
disable_svg := func() bool {
return conf.Get("features.protection.disable_svg").Schema(func(f *FormElement) *FormElement {
if f == nil {
f = &FormElement{}
}
f.Default = true
f.Name = "disable_svg"
f.Type = "boolean"
f.Target = []string{}
f.Description = "Disable the display of SVG documents"
f.Placeholder = "Default: true"
return f
}).Bool()
}
disable_svg()
Hooks.Register.ProcessFileContentBeforeSend(func (reader io.ReadCloser, ctx *App, res *http.ResponseWriter, req *http.Request) (io.ReadCloser, error){
if GetMimeType(req.URL.Query().Get("path")) != "image/svg+xml" {
return reader, nil
} else if disable_svg() == true {
return reader, ErrNotAllowed
}
// XSS
(*res).Header().Set("Content-Security-Policy", "script-src 'none'; default-src 'none'; img-src 'self'")
// XML bomb
txt, _ := ioutil.ReadAll(reader)
if regexp.MustCompile("(?is)entity").Match(txt) {
txt = []byte("")
}
return NewReadCloserFromBytes(txt), nil
})
}