Support SVG avatars

[strk]

SVG images are not supported as avatars (cannot be uploaded, reported to "not be an image").
I'm not sure this is a duplicate of #1095 so I'm filing it separately

[lunny]

I think it's the same. Since it cannot be rendered safely, we cannot allow it uploaded.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[stale]

This issue has been automatically closed because of inactivity. You can re-open it if needed.

[dmolineus]

The issue still occurs. Would be great if it get reopen.

[zerodayace]

@lunny could this issue eventually being resolved by using the method implemented in this pull request #14101?

[lunny]

I don't know if there is a risk for that.

[wxiaoguang]

Some reference:

• https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script The SVG script element allows to add scripts to an SVG document.
• https://stackoverflow.com/questions/5378559/including-javascript-in-svg Including JavaScript in SVG
• https://github.com/pranav77/XSS-using-SVG-file
• https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

[zerodayace]

Thanks for the references.
@wxiaoguang
I've looked at the code and found out that it is already implemented. But for an unknown reason it doesn't work. So I think this issue should be considered as a bug.

The error message "The uploaded file is not an image." is the locale value for the variable "uploaded_avatar_not_a_image" which is present in the 2 files "routers/web/repo/setting.go" and "routers/web/user/setting/profile.go".

For an uploaded image there is the following content type check.

st := typesniffer.DetectContentType(data)
if !(st.IsImage() && !st.IsSvgImage()) {
	return errors.New(ctx.Tr("settings.uploaded_avatar_not_a_image"))
}

EDIT: I've found the line where it is rejected. It's the second ! in the function above

[silverwind]

If there is a battle-tested SVG sanitizer available in golang, we could reconsider.

[zerodayace]

@silverwind I've done a quick search on gh and Google for one, but unfortunately I found just a few simple tag cleaners (removes script tags, so far away from battle tested).

As far as I have seen, the current method for providing security with svgs is by using an adequate content security policy (http header) or (better and) using img tags for displaying the svg image.

Additionally I would suggest that svg uploads must be enabled in the ini config.

I think the gitea admins should be able to decide on their own if they want to use this functionality and eventually have a rest risk of that it can be exploited. For a public instance it can make sense to forbid it, but for private instances the adminis should have the possibility to allow it.