From da5af2fae091041cca27b24b6f0e69e4a6d0dc60 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Wed, 16 Sep 2020 16:25:20 +0300
Subject: cached_url: block SVG images because of potential javascript inside

---
 include/functions.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'include')

diff --git a/include/functions.php b/include/functions.php
index eaba61a05..bc66317bb 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -1820,8 +1820,11 @@
 			if ($mimetype == "application/octet-stream")
 				$mimetype = "video/mp4";
 
+			# block SVG because of possible embedded javascript (.....)
+			$mimetype_blacklist = [ "image/svg+xml" ];
+
 			/* only serve video and images */
-			if (!preg_match("/(image|video)\//", $mimetype)) {
+			if (!preg_match("/(image|video)\//", $mimetype) || in_array($mimetype, $mimetype_blacklist)) {
 				http_response_code(400);
 				header("Content-type: text/plain");
 
-- 
cgit v1.2.3