[H-4] SVG file uploads retain .svg extension

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/FileController.php:24

Bug: svg in ALLOWED_EXTENSIONS; any path serving by sniffed MIME executes script.

Fix: Remove svg from the whitelist; force X-Content-Type-Options: nosniff + application/octet-stream everywhere.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:32pm

Resolved.

Removed svg from FileController::ALLOWED_EXTENSIONS (src/Controllers/FileController.php:23). SVG files can carry <script> and onload= handlers that execute when served with their .svg extension.

Users who want to share SVG content can still paste it in a markdown code block or screenshot it.

Locking this thread.

Related Discussions

[M-13] Bulk upload allows top-level area (files invisible in UI)
Security Issues · 0 replies · 2 views
[M-12] AdminFileController::reject/deleteFile don't basename() stored_name
Security Issues · 0 replies · 1 views
File quarantine queue: one-click approve / reject, edit-in-modal with destination picker
Important Alerts · 0 replies · 1 views
[forum.thread_purged] Purged empty thread #1505: Security: blocked internal files (CLAUDE.md, tests/, docs/, …) from web
Admin System Log Files · 0 replies · 0 views
Admin: File Exchange Management
Admin Features · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy