Backups/TwelveMonkeys
2
0
Fork 0
mirror of https://github.com/haraldk/TwelveMonkeys.git synced 2026-05-01 00:00:02 -04:00
Code Issues Projects Releases Wiki Activity

#526 Preventing SSRF due to external resource refs in SVGs

Browse Source
This commit is contained in:
Ashish Chopra
2020-02-25 11:26:16 +05:30
parent a1047edddb
commit 7bf99fb496
4 changed files with 52 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
imageio/imageio-batik/src/main/java/com/twelvemonkeys/imageio/plugins/svg/SVGImageReader.java
+13
View File
@@ -80,6 +80,7 @@ import java.util.Map;
*/
public class SVGImageReader extends ImageReaderBase {
private Rasterizer rasterizer;
private boolean allowExternalResources;
/**
* Creates an {@code SVGImageReader}.
@@ -88,6 +89,7 @@ public class SVGImageReader extends ImageReaderBase {
*/
public SVGImageReader(final ImageReaderSpi pProvider) {
super(pProvider);
allowExternalResources = true;
}
protected void resetMembers() {
@@ -116,6 +118,9 @@ public class SVGImageReader extends ImageReaderBase {
if (pParam instanceof SVGReadParam) {
SVGReadParam svgParam = (SVGReadParam) pParam;
// set the external-resource-resolution preference
allowExternalResources = svgParam.shouldAllowExternalResources();
// Get the base URI
// This must be done before converting the params to hints
String baseURI = svgParam.getBaseURI();
@@ -641,6 +646,14 @@ public class SVGImageReader extends ImageReaderBase {
public void displayMessage(String message) {
processWarningOccurred(message.replaceAll("[\\r\\n]+", " "));
}
@Override
public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
if (allowExternalResources) {
return super.getExternalResourceSecurity(resourceURL, docURL);
}
return new NoLoadExternalResourceSecurity();
}
}
}
}
imageio/imageio-batik/src/main/java/com/twelvemonkeys/imageio/plugins/svg/SVGReadParam.java
+14
View File
@@ -41,6 +41,12 @@ import java.awt.*;
public class SVGReadParam extends ImageReadParam {
private Paint background;
private String baseURI;
private boolean allowExternalResources;
public SVGReadParam() {
super();
allowExternalResources = true;
}
public Paint getBackgroundColor() {
return background;
@@ -58,6 +64,14 @@ public class SVGReadParam extends ImageReadParam {
baseURI = pBaseURI;
}
public void allowExternalResources(boolean bAllow) {
allowExternalResources = bAllow;
}
public boolean shouldAllowExternalResources() {
return allowExternalResources;
}
@Override
public boolean canSetSourceRenderSize() {
return true;