Skip to content

Commit

Permalink
Modify default config key in CONTENT_VIEW_UNTIL_SIZE to enforce SVG f…
Browse files Browse the repository at this point in the history 
…iles to be downloaded instead of viewed inline.

This is a temporary solution for vulnerable browsers with unsafe defaults that execute code inside SVG files containing JavaScript when they are accessed directly instead of showing them in plain text.
Actually browsers don't execute scripts when SVG's are invoked using <img> due to security purposes, thus there is no reason to handle them differently on direct access, because the security risk is equal, however browsers do to not address this issue for some undefined reason.

Remove the "image/svg" key from CONTENT_VIEW_UNTIL_SIZE to enable inline view of SVG files.
  • Loading branch information
pipe committed Jul 24, 2022
1 parent d62cb8b commit 0e456c2
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion app/config.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ CAPTCHA_SHOW_FOR_ABUSE = 0

# Show content instead of forcing download when the size it less than indicated value in bytes
# Format is json with keys representing MIME types with or without subtypes. In case subtype isn't specified, any subtype will match.
CONTENT_VIEW_UNTIL_SIZE = { "text" : 5000000, "image" : 10000000, "application/pdf" : 10000000, "audio" : 50000000, "video" : 50000000 }
CONTENT_VIEW_UNTIL_SIZE = { "text" : 5000000, "image" : 10000000, "image/svg" : 0, "application/pdf" : 10000000, "audio" : 50000000, "video" : 50000000 }

# Short URL minimal length
SHORTURL_LENGTH = 4
Expand Down

0 comments on commit 0e456c2

Please sign in to comment.