[Settings] Validate SVG uploads for branding

pimcore · Jan 17, 2022 · 35d1853 · 35d1853
1 parent d8377fc
commit 35d1853
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/bundles/AdminBundle/Controller/Admin/SettingsController.php b/bundles/AdminBundle/Controller/Admin/SettingsController.php
@@ -109,6 +109,12 @@ public function uploadCustomLogoAction(Request $request)
             throw new \Exception('Unsupported file format');
         }
 
+        if($fileExt === 'svg') {
+            if(strpos(file_get_contents($_FILES['Filedata']['tmp_name']), '<script')) {
+                throw new \Exception('Scripts in SVG files are not supported');
+            }
+        }
+
         $storage = Tool\Storage::get('admin');
         $storage->writeStream(self::CUSTOM_LOGO_PATH, fopen($_FILES['Filedata']['tmp_name'], 'rb'));