From 7b6cbbe821a9c450980c59d4863416964447655b Mon Sep 17 00:00:00 2001
From: Starbeamrainbowlabs <sbrl@starbeamrainbowlabs.com>
Date: Tue, 21 Sep 2021 14:04:42 +0100
Subject: [PATCH] feature-upload: ensure that Javascript in SVG images does not
 execute

My first time using Content-Security-Policy. Yay!

It's real powerful, but I have yet to find a good generator to help me
create more complex policies. In this case, the policy allows everything
by default, but disables all Javascript.

This new Content-Security-Policy header is served for all image
previews.
---
 modules/feature-upload.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/feature-upload.php b/modules/feature-upload.php
index 451f83b..173aff4 100644
--- a/modules/feature-upload.php
+++ b/modules/feature-upload.php
@@ -313,6 +313,10 @@
 		add_action("preview", function() {
 			global $settings, $env, $pageindex, $start_time;
 			
+			// Disable Javascript in all SVGs
+			// Doesn't hurt to serve it for other images too just in case some wacky new format supports Javascript for some crazy reason
+			header("Content-Security-Policy: default-src *; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'");
+			
 			if(empty($pageindex->{$env->page}->uploadedfilepath))
 			{
 				$im = errorimage("The page '$env->page_safe' doesn't have an associated file.");
@@ -487,7 +491,7 @@
 				$dimensions = $mime_type !== "image/svg+xml" ? getimagesize($env->storage_prefix . $filepath) : getsvgsize($env->storage_prefix . $filepath);
 				$fileTypeDisplay = slugify(substr($mime_type, 0, strpos($mime_type, "/")));
 				$previewUrl = htmlentities("?action=preview&size=$settings->default_preview_size&page=" . rawurlencode($env->page));
-				$originalUrl = htmlentities($env->storage_prefix == "./" ? $filepath : "?action=preview&size=original&page=" . rawurlencode($env->page));
+				$originalUrl = htmlentities($env->storage_prefix == "./" && $mime_type !== "image/svg+xml" ? $filepath : "?action=preview&size=original&page=" . rawurlencode($env->page));
 				if($mime_type == "application/pdf")
 					$fileTypeDisplay = "pdf";
 				
@@ -547,6 +551,9 @@
 				$fileInfo["Uploaded by"] = $pageindex->{$env->page}->lasteditor;
 				$fileInfo["Short markdown embed code"] = "<input type='text' class='short-embed-markdown-code' value='![" . htmlentities($fileInfo["Name"], ENT_QUOTES | ENT_HTML5) . "](" . htmlentities($filepath, ENT_QUOTES | ENT_HTML5) . " | right | 350x350)' readonly /> <button class='short-embed-markdown-button'>Copy</button>";
 				
+				if($mime_type == "image/svg+xml")
+					$fileInfo["Warning"] = "Warning: SVG images may contain Javascript. Although $settings->sitename disables execution of Javascript in SVGs, if you download an SVG and view it in your browser directly the Javascript may execute. <strong>Make sure you trust the source of this SVG before downloading!</strong>";
+				
 				$preview_html .= "\t\t\t<h2>File Information</h2>
 			<table>";
 				foreach ($fileInfo as $displayName => $displayValue)