diff options
author | Kyle D <kdumontnu@gmail.com> | 2021-01-15 02:38:41 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-15 17:38:41 +0800 |
commit | bfd0c47ef67b25b916e6fbde9d9f6e2d9c4e2cb6 (patch) | |
tree | 3be32e16585928edcc92185ff228ad4f335b7d9a | |
parent | a21adf92ec04ed6b957da9f58d49afbb93d584e9 (diff) | |
download | gitea-bfd0c47ef67b25b916e6fbde9d9f6e2d9c4e2cb6.tar.gz gitea-bfd0c47ef67b25b916e6fbde9d9f6e2d9c4e2cb6.zip |
Kd/fix allow svg doctype (#14344)
* make svg regex case-insensitive & use strict word boundary
* allow doctype svg
* add doctype tests
* allow <!DOCTYPE svg> and <svg/>
-rw-r--r-- | modules/base/tool.go | 4 | ||||
-rw-r--r-- | modules/base/tool_test.go | 8 |
2 files changed, 10 insertions, 2 deletions
diff --git a/modules/base/tool.go b/modules/base/tool.go index c497bee44a..53339d6449 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -35,8 +35,8 @@ const sniffLen = 512 // SVGMimeType MIME type of SVG images. const SVGMimeType = "image/svg+xml" -var svgTagRegex = regexp.MustCompile(`(?s)\A\s*(?:<!--.*?-->\s*)*<svg\b`) -var svgTagInXMLRegex = regexp.MustCompile(`(?s)\A<\?xml\b.*?\?>\s*(?:<!--.*?-->\s*)*<svg\b`) +var svgTagRegex = regexp.MustCompile(`(?si)\A\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`) +var svgTagInXMLRegex = regexp.MustCompile(`(?si)\A<\?xml\b.*?\?>\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`) // EncodeMD5 encodes string to md5 hex value. func EncodeMD5(str string) string { diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go index cda1685da7..a2a989b31f 100644 --- a/modules/base/tool_test.go +++ b/modules/base/tool_test.go @@ -216,6 +216,9 @@ func TestIsSVGImageFile(t *testing.T) { assert.True(t, IsSVGImageFile([]byte(`<!-- Multiline Comment --> <svg></svg>`))) + assert.True(t, IsSVGImageFile([]byte(`<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN" + "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd"> + <svg></svg>`))) assert.True(t, IsSVGImageFile([]byte(`<?xml version="1.0" encoding="UTF-8"?> <!-- Comment --> <svg></svg>`))) @@ -227,6 +230,11 @@ func TestIsSVGImageFile(t *testing.T) { <!-- Multline Comment --> <svg></svg>`))) + assert.True(t, IsSVGImageFile([]byte(`<?xml version="1.0" encoding="UTF-8"?> + <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> + <!-- Multline + Comment --> + <svg></svg>`))) assert.False(t, IsSVGImageFile([]byte{})) assert.False(t, IsSVGImageFile([]byte("svg"))) assert.False(t, IsSVGImageFile([]byte("<svgfoo></svgfoo>"))) |