be more specific on the base type match and less specific on the subtype, in order to fail-safe (avoid being tricked into not sanitizing - the mime type is a user provided input)

This commit is contained in:
El RIDO 2022-03-27 08:27:24 +02:00
parent 36cb37c029
commit 75dc346f0f
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
3 changed files with 6 additions and 6 deletions

View file

@ -2843,7 +2843,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
// prevents executing embedded scripts when CSP is not set and user // prevents executing embedded scripts when CSP is not set and user
// right-clicks/long-taps and opens the SVG in a new tab - prevented // right-clicks/long-taps and opens the SVG in a new tab - prevented
// in the preview by use of an img tag, which disables scripts, too // in the preview by use of an img tag, which disables scripts, too
if (mimeType.match(/image\/svg/i)) { if (mimeType.match(/^image\/.*svg/i)) {
const sanitizedData = DOMPurify.sanitize( const sanitizedData = DOMPurify.sanitize(
decodedData, decodedData,
purifySvgConfig purifySvgConfig
@ -3072,13 +3072,13 @@ jQuery.PrivateBin = (function($, RawDeflate) {
me.handleBlobAttachmentPreview = function ($targetElement, blobUrl, mimeType) { me.handleBlobAttachmentPreview = function ($targetElement, blobUrl, mimeType) {
if (blobUrl) { if (blobUrl) {
attachmentHasPreview = true; attachmentHasPreview = true;
if (mimeType.match(/image\//i)) { if (mimeType.match(/^image\//i)) {
$targetElement.html( $targetElement.html(
$(document.createElement('img')) $(document.createElement('img'))
.attr('src', blobUrl) .attr('src', blobUrl)
.attr('class', 'img-thumbnail') .attr('class', 'img-thumbnail')
); );
} else if (mimeType.match(/video\//i)) { } else if (mimeType.match(/^video\//i)) {
$targetElement.html( $targetElement.html(
$(document.createElement('video')) $(document.createElement('video'))
.attr('controls', 'true') .attr('controls', 'true')
@ -3089,7 +3089,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
.attr('type', mimeType) .attr('type', mimeType)
.attr('src', blobUrl)) .attr('src', blobUrl))
); );
} else if (mimeType.match(/audio\//i)) { } else if (mimeType.match(/^audio\//i)) {
$targetElement.html( $targetElement.html(
$(document.createElement('audio')) $(document.createElement('audio'))
.attr('controls', 'true') .attr('controls', 'true')

View file

@ -73,7 +73,7 @@ endif;
?> ?>
<script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xdu6IjnYpAF3x74lr5/SLuZSPoWD2Imc/GBZvsIhiUSRltwR734fEMRBrGUEdAzZpAdeIt3sOOZqwPAdYpM31Q==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xwttv41FsiFPAKh5r/rq3FGUpcnOaV/Flzg91OIpUz60t1gjE3JRke3YwcHGUm3FrQWahba5/RAqVLYkUvtpFg==" crossorigin="anonymous"></script>
<!-- icon --> <!-- icon -->
<link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" /> <link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" />
<link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" /> <link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" />

View file

@ -51,7 +51,7 @@ endif;
?> ?>
<script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xdu6IjnYpAF3x74lr5/SLuZSPoWD2Imc/GBZvsIhiUSRltwR734fEMRBrGUEdAzZpAdeIt3sOOZqwPAdYpM31Q==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xwttv41FsiFPAKh5r/rq3FGUpcnOaV/Flzg91OIpUz60t1gjE3JRke3YwcHGUm3FrQWahba5/RAqVLYkUvtpFg==" crossorigin="anonymous"></script>
<!-- icon --> <!-- icon -->
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" /> <link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" /> <link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />