X Tutup
Skip to content

fix: perform SVG santitization on all file content which is pushed to…#41433

Merged
DeepDiver1975 merged 2 commits intomasterfrom
fix/imagick-svg
Jan 16, 2026
Merged

fix: perform SVG santitization on all file content which is pushed to…#41433
DeepDiver1975 merged 2 commits intomasterfrom
fix/imagick-svg

Conversation

@DeepDiver1975
Copy link
Member

@DeepDiver1975 DeepDiver1975 commented Jan 13, 2026
edited
Loading

… Imagick

Description

Bugfix: Apply SVG sanitization to all file content before using ImageMagick

Any file content is now sanitized for SVG threats before being processed by
ImageMagick, preventing potential security vulnerabilities.

How Has This Been Tested?

  • 🤖

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Database schema changes (next release will require increase of minor version instead of patch)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:
  • Changelog item, see TEMPLATE

@update-docs
Copy link

update-docs bot commented Jan 13, 2026

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@DeepDiver1975 DeepDiver1975 force-pushed the fix/imagick-svg branch 2 times, most recently from e2d94c5 to 91d27dc Compare January 13, 2026 15:32
@DeepDiver1975 DeepDiver1975 marked this pull request as draft January 13, 2026 16:35
@DeepDiver1975
Copy link
Member Author

DeepDiver1975 commented Jan 13, 2026
edited
Loading

ToDo

@DeepDiver1975 DeepDiver1975 marked this pull request as ready for review January 15, 2026 08:50
jvillafanez
jvillafanez reviewed Jan 15, 2026
View reviewed changes
lib/private/Preview/Bitmap.php
*/
private function getResizedPreview($stream, $maxX, $maxY) {
# file content can be SVG - we need to sanitize it first
$content = \stream_get_contents($stream);
Copy link
Member

@jvillafanez jvillafanez Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need a safety net here. We don't know the length of the stream, and it could potentially be GB size.
If sanitizing the SVG as stream isn't possible, maybe we can read up to a maximum of 10MB (or some configurable value) and don't generate the preview if the file is too big.

@DeepDiver1975 DeepDiver1975 merged commit 291d80a into master Jan 16, 2026
5 checks passed
@DeepDiver1975 DeepDiver1975 deleted the fix/imagick-svg branch January 19, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jvillafanez jvillafanez jvillafanez approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DeepDiver1975 @jvillafanez
X Tutup