SVG images are accepted but not sanitized #38
Description
The upload handler checks that the content type starts with "image/", but this check includes the image/svg+xml content type, so the following image is accepted:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg" width="500" height="500">
<circle cx="250" cy="250" r="210" fill="#fff" stroke="#000" stroke-width="8"/>
<script type="text/javascript">alert(1);</script>
</svg>
A non-admin user could trick an admin user into visiting such an image directly (so through its /i/ URL), which would execute the script, perhaps e.g. stealing the admin user's session.
Mitigations could include:
- Not accepting SVG at all (like imgur), perhaps instead checking against an allowlist of content types.
- Accepting SVG images, but only if they do not have script tags or event handlers (like Wikimedia Commons).
Marking the session cookie HTTP-only or writing a strict Content Security Policy would help defend against similar attacks.
Overview pages that include images through <img> elements are not affected.