From 0e456c2c15aed77330e208354397a975aa4ce090 Mon Sep 17 00:00:00 2001
From: pipe <pipe@users.noreply.github.com>
Date: Sun, 24 Jul 2022 23:21:15 +0000
Subject: [PATCH] Modify default config key in CONTENT_VIEW_UNTIL_SIZE to
 enforce SVG files to be downloaded instead of viewed inline.

This is a temporary solution for vulnerable browsers with unsafe defaults that execute code inside SVG files containing JavaScript when they are accessed directly instead of showing them in plain text.
Actually browsers don't execute scripts when SVG's are invoked using <img> due to security purposes, thus there is no reason to handle them differently on direct access, because the security risk is equal, however browsers do to not address this issue for some undefined reason.

Remove the "image/svg" key from CONTENT_VIEW_UNTIL_SIZE to enable inline view of SVG files.
---
 app/config.example | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/config.example b/app/config.example
index 79d219b..6f0e77c 100644
--- a/app/config.example
+++ b/app/config.example
@@ -63,7 +63,7 @@ CAPTCHA_SHOW_FOR_ABUSE = 0
 
 # Show content instead of forcing download when the size it less than indicated value in bytes
 # Format is json with keys representing MIME types with or without subtypes. In case subtype isn't specified, any subtype will match.
-CONTENT_VIEW_UNTIL_SIZE = { "text" : 5000000, "image" : 10000000, "application/pdf" : 10000000, "audio" : 50000000, "video" : 50000000 }
+CONTENT_VIEW_UNTIL_SIZE = { "text" : 5000000, "image" : 10000000, "image/svg" : 0, "application/pdf" : 10000000, "audio" : 50000000, "video" : 50000000 }
 
 # Short URL minimal length
 SHORTURL_LENGTH = 4