Commit 4d8f24cf authored by Sergey Shepelevich's avatar Sergey Shepelevich

CMS-11040 [Backport 11.2] Improvement on validation of svg images

(cherry picked from commit 3c4cc5a8)
parent c0bc4d53
/*
* Copyright 2018 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.hippoecm.frontend.plugins.gallery.model;
public class SvgScriptGalleryException extends GalleryException {
public SvgScriptGalleryException(final String message) {
super(message);
}
public SvgScriptGalleryException(final String message, final Throwable cause) {
super(message, cause);
}
}
......@@ -5,4 +5,5 @@ file-type-label=File type
no-file-uploaded-label=Nothing uploaded
exception,type\=org.apache.wicket.util.upload.FileUploadException=File upload failed.
exception,type\=org.hippoecm.frontend.plugins.gallery.model.GalleryException=Gallery item could not be created.
exception,type\=org.hippoecm.frontend.plugins.gallery.model.SvgScriptGalleryException=SVG images with embedded script are not supported.
exception,type\=org.hippoecm.repository.api.WorkflowException=Cannot add {0}, because an item with name {0} already exists in this folder.
/*
* Copyright 2015 Hippo B.V. (http://www.onehippo.com)
* Copyright 2015 - 2018 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -18,14 +18,17 @@ package org.hippoecm.frontend.editor.plugins.linkpicker;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.rmi.RemoteException;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.wicket.Component;
import org.apache.wicket.ajax.AjaxRequestTarget;
......@@ -50,6 +53,7 @@ import org.hippoecm.frontend.plugin.IPluginContext;
import org.hippoecm.frontend.plugin.config.IPluginConfig;
import org.hippoecm.frontend.plugins.gallery.model.GalleryException;
import org.hippoecm.frontend.plugins.gallery.model.GalleryProcessor;
import org.hippoecm.frontend.plugins.gallery.model.SvgScriptGalleryException;
import org.hippoecm.frontend.plugins.jquery.upload.AbstractFileUploadWidget;
import org.hippoecm.frontend.plugins.jquery.upload.FileUploadViolationException;
import org.hippoecm.frontend.plugins.jquery.upload.behaviors.FileUploadInfo;
......@@ -75,6 +79,9 @@ import org.slf4j.LoggerFactory;
public abstract class GalleryUploadPanel extends Panel {
private static final Logger log = LoggerFactory.getLogger(GalleryUploadPanel.class);
private static final String SVG_MIME_TYPE = "image/svg+xml";
private final String SVG_SCRIPTS_ENABLED = "svg.scripts.enabled";
private static final String FILEUPLOAD_WIDGET_ID = "uploadPanel";
private final IPluginContext context;
......@@ -87,11 +94,13 @@ public abstract class GalleryUploadPanel extends Panel {
private String galleryType;
private GalleryProcessor galleryProcessor;
private final IPluginConfig pluginConfig;
public GalleryUploadPanel(final String id, final IModel<Node> model,
final IPluginContext context, final IPluginConfig config,
GalleryProcessor galleryProcessor) {
super(id, model);
this.pluginConfig = config;
this.context = context;
this.galleryProcessor = galleryProcessor;
......@@ -193,6 +202,17 @@ public abstract class GalleryUploadPanel extends Panel {
HippoNode node = null;
String localName = null;
try {
final boolean svgScriptsEnabled = pluginConfig.getAsBoolean(SVG_SCRIPTS_ENABLED, false);
if (!svgScriptsEnabled && Objects.equals(mimetype, SVG_MIME_TYPE)) {
final String svgContent = IOUtils.toString(istream, StandardCharsets.UTF_8);
if (svgContent.contains("<script")) {
istream.close();
throw new SvgScriptGalleryException("SVG images with embedded script are not supported.");
}
istream.reset();
}
//Get the selected folder from the folderReference Service
Node folderNode = (Node) getDefaultModelObject();
......@@ -206,7 +226,7 @@ public abstract class GalleryUploadPanel extends Panel {
if (!node.getDisplayName().equals(localName)) {
defaultWorkflow.setDisplayName(localName);
}
} catch (WorkflowException | RepositoryException ex) {
} catch (WorkflowException | SvgScriptGalleryException | RepositoryException ex) {
log.error(ex.getMessage());
error(TranslatorUtils.getExceptionTranslation(GalleryUploadPanel.class, ex, localName).getObject());
}
......
......@@ -2,3 +2,4 @@ select-file-label=Select file to upload
button-upload-label=Upload
exception,type\=org.hippoecm.repository.api.WorkflowException=Cannot add '{0}', because an item with name '{0}' already exists in this folder.
exception,type\=org.hippoecm.frontend.plugins.jquery.upload.FileUploadViolationException=Cannot add '{0}': {1}
exception,type\=org.hippoecm.frontend.plugins.gallery.model.SvgScriptGalleryException=SVG images with embedded script are not supported.
/*
* Copyright 2009-2016 Hippo B.V. (http://www.onehippo.com)
* Copyright 2009-2018 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -17,13 +17,16 @@ package org.hippoecm.frontend.plugins.gallery;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.rmi.RemoteException;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import org.apache.commons.io.IOUtils;
import org.apache.wicket.Component;
import org.apache.wicket.ajax.AjaxRequestTarget;
import org.apache.wicket.ajax.form.AjaxFormComponentUpdatingBehavior;
......@@ -50,6 +53,7 @@ import org.hippoecm.frontend.plugin.config.IPluginConfig;
import org.hippoecm.frontend.plugins.gallery.model.DefaultGalleryProcessor;
import org.hippoecm.frontend.plugins.gallery.model.GalleryException;
import org.hippoecm.frontend.plugins.gallery.model.GalleryProcessor;
import org.hippoecm.frontend.plugins.gallery.model.SvgScriptGalleryException;
import org.hippoecm.frontend.plugins.jquery.upload.multiple.JQueryFileUploadDialog;
import org.hippoecm.frontend.plugins.standards.icon.HippoIconStack;
import org.hippoecm.frontend.plugins.standards.icon.HippoIconStack.Position;
......@@ -75,6 +79,8 @@ import org.slf4j.LoggerFactory;
public class GalleryWorkflowPlugin extends CompatibilityWorkflowPlugin<GalleryWorkflow> {
private static final long serialVersionUID = 1L;
private static final String SVG_MIME_TYPE = "image/svg+xml";
private final String SVG_SCRIPTS_ENABLED = "svg.scripts.enabled";
private static final Logger log = LoggerFactory.getLogger(GalleryWorkflowPlugin.class);
......@@ -133,6 +139,17 @@ public class GalleryWorkflowPlugin extends CompatibilityWorkflowPlugin<GalleryWo
WorkflowManager manager = UserSession.get().getWorkflowManager();
HippoNode node;
try {
final boolean svgScriptsEnabled = GalleryWorkflowPlugin.this.getPluginConfig()
.getAsBoolean(SVG_SCRIPTS_ENABLED, false);
if (!svgScriptsEnabled && Objects.equals(mimeType, SVG_MIME_TYPE)) {
final String svgContent = IOUtils.toString(is, StandardCharsets.UTF_8);
if (svgContent.contains("<script")) {
throw new SvgScriptGalleryException("SVG images with embedded script are not supported.");
}
is.reset();
}
WorkflowDescriptorModel workflowDescriptorModel = (WorkflowDescriptorModel) GalleryWorkflowPlugin.this
.getDefaultModel();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment