Kd/fix allow svg doctype (go-gitea#14344)

* make svg regex case-insensitive & use strict word boundary * allow doctype svg * add doctype tests * allow <!DOCTYPE svg> and <svg/>
john180 · Jan 15, 2021 · bfd0c47 · bfd0c47
1 parent a21adf9
commit bfd0c47
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/modules/base/tool.go b/modules/base/tool.go
@@ -35,8 +35,8 @@ const sniffLen = 512
 // SVGMimeType MIME type of SVG images.
 const SVGMimeType = "image/svg+xml"
 
-var svgTagRegex = regexp.MustCompile(`(?s)\A\s*(?:<!--.*?-->\s*)*<svg\b`)
-var svgTagInXMLRegex = regexp.MustCompile(`(?s)\A<\?xml\b.*?\?>\s*(?:<!--.*?-->\s*)*<svg\b`)
+var svgTagRegex = regexp.MustCompile(`(?si)\A\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`)
+var svgTagInXMLRegex = regexp.MustCompile(`(?si)\A<\?xml\b.*?\?>\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`)
 
 // EncodeMD5 encodes string to md5 hex value.
 func EncodeMD5(str string) string {

diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
@@ -216,6 +216,9 @@ func TestIsSVGImageFile(t *testing.T) {
 	assert.True(t, IsSVGImageFile([]byte(`<!-- Multiline
 	Comment -->
 	<svg></svg>`)))
+	assert.True(t, IsSVGImageFile([]byte(`<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN"
+	"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd">
+	<svg></svg>`)))
 	assert.True(t, IsSVGImageFile([]byte(`<?xml version="1.0" encoding="UTF-8"?>
 	<!-- Comment -->
 	<svg></svg>`)))
@@ -227,6 +230,11 @@ func TestIsSVGImageFile(t *testing.T) {
 	<!-- Multline
 	Comment -->
 	<svg></svg>`)))
+	assert.True(t, IsSVGImageFile([]byte(`<?xml version="1.0" encoding="UTF-8"?>
+	<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+	<!-- Multline
+	Comment -->
+	<svg></svg>`)))
 	assert.False(t, IsSVGImageFile([]byte{}))
 	assert.False(t, IsSVGImageFile([]byte("svg")))
 	assert.False(t, IsSVGImageFile([]byte("<svgfoo></svgfoo>")))