summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKyle D <kdumontnu@gmail.com>2021-01-15 02:38:41 -0700
committerGitHub <noreply@github.com>2021-01-15 17:38:41 +0800
commitbfd0c47ef67b25b916e6fbde9d9f6e2d9c4e2cb6 (patch)
tree3be32e16585928edcc92185ff228ad4f335b7d9a
parenta21adf92ec04ed6b957da9f58d49afbb93d584e9 (diff)
downloadgitea-bfd0c47ef67b25b916e6fbde9d9f6e2d9c4e2cb6.tar.gz
gitea-bfd0c47ef67b25b916e6fbde9d9f6e2d9c4e2cb6.zip
Kd/fix allow svg doctype (#14344)
* make svg regex case-insensitive & use strict word boundary * allow doctype svg * add doctype tests * allow <!DOCTYPE svg> and <svg/>
-rw-r--r--modules/base/tool.go4
-rw-r--r--modules/base/tool_test.go8
2 files changed, 10 insertions, 2 deletions
diff --git a/modules/base/tool.go b/modules/base/tool.go
index c497bee44a..53339d6449 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -35,8 +35,8 @@ const sniffLen = 512
// SVGMimeType MIME type of SVG images.
const SVGMimeType = "image/svg+xml"
-var svgTagRegex = regexp.MustCompile(`(?s)\A\s*(?:<!--.*?-->\s*)*<svg\b`)
-var svgTagInXMLRegex = regexp.MustCompile(`(?s)\A<\?xml\b.*?\?>\s*(?:<!--.*?-->\s*)*<svg\b`)
+var svgTagRegex = regexp.MustCompile(`(?si)\A\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`)
+var svgTagInXMLRegex = regexp.MustCompile(`(?si)\A<\?xml\b.*?\?>\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`)
// EncodeMD5 encodes string to md5 hex value.
func EncodeMD5(str string) string {
diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
index cda1685da7..a2a989b31f 100644
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -216,6 +216,9 @@ func TestIsSVGImageFile(t *testing.T) {
assert.True(t, IsSVGImageFile([]byte(`<!-- Multiline
Comment -->
<svg></svg>`)))
+ assert.True(t, IsSVGImageFile([]byte(`<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd">
+ <svg></svg>`)))
assert.True(t, IsSVGImageFile([]byte(`<?xml version="1.0" encoding="UTF-8"?>
<!-- Comment -->
<svg></svg>`)))
@@ -227,6 +230,11 @@ func TestIsSVGImageFile(t *testing.T) {
<!-- Multline
Comment -->
<svg></svg>`)))
+ assert.True(t, IsSVGImageFile([]byte(`<?xml version="1.0" encoding="UTF-8"?>
+ <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+ <!-- Multline
+ Comment -->
+ <svg></svg>`)))
assert.False(t, IsSVGImageFile([]byte{}))
assert.False(t, IsSVGImageFile([]byte("svg")))
assert.False(t, IsSVGImageFile([]byte("<svgfoo></svgfoo>")))