Headline
CVE-2022-2065: Force to download SVG files to prevent security problems. · NeoRazorX/facturascripts@1d1edb4
Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/facturascripts prior to 2022.06.
@@ -127,8 +127,7 @@ public function getFile(): bool
$allowedFolders = ['node_modules’, 'vendor’, 'Dinamic’, 'Core’, 'Plugins’, ‘MyFiles/Public’];
foreach ($allowedFolders as $folder) {
if (‘/’ . $folder === substr($uri, 0, 1 + strlen($folder))) {
header('Content-Type: ' . $this->getMime($filePath));
readfile($filePath);
$this->download($filePath);
return true;
}
}
@@ -137,14 +136,7 @@ public function getFile(): bool
$token = filter_input(INPUT_GET, ‘myft’);
$fixedFilePath = substr(urldecode($uri), 1);
if (‘/MyFiles/’ === substr($uri, 0, 9) && $token && MyFilesToken::validate($fixedFilePath, $token)) {
header('Content-Type: ' . $this->getMime($filePath));
// disable the buffer if enabled
if (ob_get_contents()) {
ob_end_flush();
}
readfile($filePath);
$this->download($filePath);
return true;
}
@@ -205,6 +197,23 @@ private function deploy()
}
}
private function download(string $filePath)
{
header('Content-Type: ' . $this->getMime($filePath));
// disable the buffer if enabled
if (ob_get_contents()) {
ob_end_flush();
}
// force to download svg files to prevent XSS attacks
if (strpos($filePath, ‘.svg’) !== false) {
header(‘Content-Disposition: attachment; filename="’ . basename($filePath) . ‘"’);
}
readfile($filePath);
}
/**
* Return the mime type from given file.
*