Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[IMPROVE] Change default upload settings to only block SVG files #17933

Merged
merged 1 commit into from
Jun 17, 2020

Conversation

sampaiodiego
Copy link
Member

Proposed changes

Change default upload settings to only block SVG files and allow everything else.

Issue(s)

How to test or reproduce

Screenshots

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • Improvement (non-breaking change which improves a current function)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Hotfix (a major bugfix that has to be merged asap)
  • Documentation Update (if none of the other choices apply)

Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA
  • Lint and unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works (if applicable)
  • I have added necessary documentation (if applicable)
  • Any dependent changes have been merged and published in downstream modules

Changelog

Further comments

@sampaiodiego sampaiodiego added this to the 3.4.0 milestone Jun 17, 2020
@sampaiodiego sampaiodiego requested a review from rodrigok June 17, 2020 04:00
@sampaiodiego sampaiodiego merged commit 5645357 into develop Jun 17, 2020
@sampaiodiego sampaiodiego deleted the improve/change-default-blacklist branch June 17, 2020 15:04
ggazzo added a commit that referenced this pull request Jun 18, 2020
…apps_rewrite* 'develop' of github.com:RocketChat/Rocket.Chat: (28 commits) [IMPROVE] Performance editing Admin settings (#17916)  [IMPROVE] React hooks lint rules (#17941)  [FIX] StreamCast stream to server only streamers (#17942)  [FIX] Profile save button not activates properly when changing the username field (#16541)  [FIX] Outgoing webhook: Excessive spacing between trigger words (#17830)  [FIX] Links being escaped twice leading to visible encoded characters (#16481)  [NEW][API] New endpoints to manage User Custom Status `custom-user-status.create`, custom-user-status.delete` and `custom-user-status.update` (#16550)  [FIX] Message action popup doesn't adjust itself on screen resize (#16508)  [FIX] Not possible to translate the label of custom fields in user's Info (#15595)  [FIX] Close the user info context panel does not navigate back to the user's list (#14085)  [FIX] Missing pinned icon indicator for messages pinned (#16448)  Chatpal: limit results to current room (#17718)  Do not build Docker image for fork PRs (#17370)  [IMPROVE] Use REST for DDP calls by default (#17934)  [IMPROVE] Add rate limiter to UiKit endpoints (#17859)  LingoHub based on develop (#17796)  [IMPROVE] Change default upload settings to only block SVG files (#17933)  Update Dockerfile to not depend on custom base image (#17802)  [IMPROVE][Performance] Add new database indexes to improve data query performance (#17839)  [FIX] Undesirable message updates after user saving profile (#17930)  ...
@sampaiodiego sampaiodiego mentioned this pull request Jun 30, 2020
@georgmu
Copy link
Contributor

georgmu commented Oct 23, 2020

@sampaiodiego Could you please explain why svg is on the blocklist?

I ran into a problem uploading a python script (test.py) and wondered why it didn't work. Searching for a reason (together with #18263) I wonder why svg is blocked here. What makes it so special? There are no comments anywhere (commit message, code) which explain this blocking.

@sampaiodiego
Copy link
Member Author

SVG files cannot be rendered directly into the chat history as they support scripts. so until we properly handle that, we decided to disable them by default.

@palmeida
Copy link

palmeida commented Nov 3, 2020

I came across this today, trying to upload Jupyter notebooks, and I thought there might be some reason to block SVG files that I shouldn't mess with. I don't know what you mean by "rendered directly into the chat history", so I don't understand what may be the consequences. I now have an empty Blocked Media Types field and everything seems to work fine (I can upload Jupyter notebooks and an SVG upload also worked, and was rendered in the chat window).

@georgmu
Copy link
Contributor

georgmu commented Nov 3, 2020

don't know what you mean by "rendered directly into the chat history", so I don't understand what may be the consequences.

The problem seems to be an SVG with malicious embedded javascript code inside. If there is a preview image of the upload, then this code might be executed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants