Filter SVGs before uploading by default

Created on 17 December 2024, 5 days ago

Problem/Motivation

SVGs are very powerful tools. They can include malicious code. As part of robust protection against malicious uploads, Drupal could filter (sanitize) SVG files on upload.

In general Drupal handles input as:

validate input to be appropriate for a field - e.g. is a number for a number field, filesize is within the limit - and lets the user fix any validation problems on the client side
stores the original content provided by a user
filters content on output to mitigate security attacks

However, that strategy isn't as appropriate in the case of public files since they are generally served directly by the webserver, avoiding a Drupal bootstrap, and, therefore, cannot be filtered by Drupal at the time of display.

Steps to reproduce

Upload a malicious SVG. Drupal accepts it and will let people download it and upload it to a new site.

Proposed resolution

Integrate a tool (perhaps SVG Sanitizer → ) into the upload process.

Remaining tasks

Evaluate and decide on a tool for this purpose.
Add it.

User interface changes

TBD.

Introduced terminology

TBD.

API changes

TBD.

Data model changes

TBD.

Release notes snippet

TBD.

✨ Feature request

Status

Postponed

Version

11.1 🔥

Component

file system

Created by

🇺🇸United States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @greggles
Comment 5 days ago →
🇺🇸United States greggles Denver, Colorado, USA
Creating this as a postponed followup to #2868079: Add a default Content-Security-Policy-header for svg files → to provide a more robust solution to a wider set of problems.
Comment 4 days ago →
🇳🇿New Zealand quietone
Comment 4 days ago →
🇦🇺Australia kim.pepper 🏄‍♂️🇦🇺Sydney, Australia
The SVG Image → module does sanitization in the Formatter. https://git.drupalcode.org/project/svg_image/-/blob/3.x/src/Plugin/Field...

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024