diff options
| author | Andrew Dolgov <[email protected]> | 2020-09-16 16:25:20 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-09-16 16:25:20 +0300 |
| commit | da5af2fae091041cca27b24b6f0e69e4a6d0dc60 (patch) | |
| tree | 71c02f80f6f81841819cbc33f3e83102d79210eb /include | |
| parent | 33fdde249e8a40968bba42590e8ed17145ff9e30 (diff) | |
cached_url: block SVG images because of potential javascript inside
Diffstat (limited to 'include')
| -rw-r--r-- | include/functions.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/include/functions.php b/include/functions.php index eaba61a05..bc66317bb 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1820,8 +1820,11 @@ if ($mimetype == "application/octet-stream") $mimetype = "video/mp4"; + # block SVG because of possible embedded javascript (.....) + $mimetype_blacklist = [ "image/svg+xml" ]; + /* only serve video and images */ - if (!preg_match("/(image|video)\//", $mimetype)) { + if (!preg_match("/(image|video)\//", $mimetype) || in_array($mimetype, $mimetype_blacklist)) { http_response_code(400); header("Content-type: text/plain"); |