From 35d1853baf64d6a1d90fd8803e52439da53a3911 Mon Sep 17 00:00:00 2001
From: Bernhard Rusch <bernhard.rusch@elements.at>
Date: Mon, 17 Jan 2022 16:52:05 +0100
Subject: [PATCH] [Settings] Validate SVG uploads for branding

---
 bundles/AdminBundle/Controller/Admin/SettingsController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bundles/AdminBundle/Controller/Admin/SettingsController.php b/bundles/AdminBundle/Controller/Admin/SettingsController.php
index b706d5eb1bd..eeaec96a597 100644
--- a/bundles/AdminBundle/Controller/Admin/SettingsController.php
+++ b/bundles/AdminBundle/Controller/Admin/SettingsController.php
@@ -109,6 +109,12 @@ public function uploadCustomLogoAction(Request $request)
             throw new \Exception('Unsupported file format');
         }
 
+        if($fileExt === 'svg') {
+            if(strpos(file_get_contents($_FILES['Filedata']['tmp_name']), '<script')) {
+                throw new \Exception('Scripts in SVG files are not supported');
+            }
+        }
+
         $storage = Tool\Storage::get('admin');
         $storage->writeStream(self::CUSTOM_LOGO_PATH, fopen($_FILES['Filedata']['tmp_name'], 'rb'));