默认禁止上传SVG格式图片，以避免svg图片的xss攻击

zmister2016 · Sep 3, 2021 · 00c26e9 · 00c26e9
1 parent a33886e
commit 00c26e9
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGES.md b/CHANGES.md
@@ -3,6 +3,7 @@
 ### v0.7.1 2021-09
 
 - [修复]用户上传文件中yaml加载的安全漏洞；
+- [优化]默认禁止上传SVG图片（有安全风险）；
 
 
 ### v0.7.0 2021-08-31

diff --git a/MrDoc/settings.py b/MrDoc/settings.py
@@ -195,7 +195,7 @@
 MEDIA_ROOT = os.path.join(BASE_DIR,'media')
 
 # 允许上传的图片后缀
-ALLOWED_IMG = CONFIG.get("image_upload","suffix_name",fallback="jpg,jpeg,gif,png,bmp,webp,svg").split(",")
+ALLOWED_IMG = CONFIG.get("image_upload","suffix_name",fallback="jpg,jpeg,gif,png,bmp,webp").split(",")
 
 
 REST_FRAMEWORK = {