Описание
copyparty: volflag nohtml did not block javascript in svg files
Summary
The nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images.
Details
A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it.
This in itself is not a vulnerability; it is intended behavior according to the SVG spec. The vulnerability is that the nohtml volflag, when enabled, did not prevent this.
nohtml, intended for use on volumes which contains untrusted files, would correctly prevent execution of javascript in HTML files, but did not consider SVG images. This has been fixed in v1.20.11.
Impact
The malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the SVG.
Пакеты
copyparty
<= 1.20.10
1.20.11
Связанные уязвимости
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.