Bug 249948
| Summary: | SVGUseElement sniffs content type when loading external document | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Jun Kokatsu <s.h.h.n.j.k> |
| Component: | SVG | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | karlcow, sabouhallawa, webkit-bug-importer, zimmermann |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Jun Kokatsu
PoC:
```
const text = `<svg id="x" xmlns="http://www.w3.org/2000/svg"><image href="xyz" onerror="alert(origin)" /></svg>`;
const blob = new Blob([text], {type: 'application/octet-stream'}); // <- not "image/svg+xml"
const url = URL.createObjectURL(blob);
let attackerControlledString = url + "#x";
const svg=document.createElementNS("http://www.w3.org/2000/svg", "svg");
const use=document.createElementNS("http://www.w3.org/2000/svg", "use");
use.setAttribute('href', attackerControlledString);
svg.appendChild(use);
document.body.appendChild(svg);
```
The above code only loads external SVG from a Blob URL in Webkit. Both Blink and Gecko ignores it due to content type mismatch.
Potential fix is to add the following code after https://github.com/WebKit/WebKit/blob/5c3443a0ab7a7fdeaeeb20c104da59b55de0e265/Source/WebCore/svg/SVGUseElement.cpp#L614.
```
options.sniffContent = ContentSniffingPolicy::DoNotSniffContent;
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/103893082>
zak ridouh
Pull request: https://github.com/WebKit/WebKit/pull/32612
EWS
Committed 283447@main (6ba5b52ad5c1): <https://commits.webkit.org/283447@main>
Reviewed commits have been landed. Closing PR #32612 and removing active labels.
EWS
Committed 283286.25@safari-7620-branch (a22ef8e7a842): <https://commits.webkit.org/283286.25@safari-7620-branch>
Reviewed commits have been landed. Closing PR #1753 and removing active labels.