有什么方法可以使用户上传的SVG图像免受代码注入等的影响? [英] Is there any way to make user uploaded SVG images safe from code injection etc?
问题描述
我想在网站上显示用户上传的SVG图像,但是它们很容易受到攻击:
I want to display user uploaded SVG images on a website, but they're quite open to exploits:
- https://security.stackexchange.com/questions/11384/exploits-or-其他安全风险与svg上载
- https://security.stackexchange.com/questions/36447/img-tag-vulnerability
- https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload
- https://security.stackexchange.com/questions/36447/img-tag-vulnerability
例如,任意javascript都可以嵌入SVG 中。性能利用方面也存在问题,但我会考虑优先级较低的问题。
For example, arbitrary javascript can be embedded in SVG. There's also issues with performance exploits, but I'd consider those lower priority.
是否有任何机制可以使SVG更加安全并仅将其用作映像?我可以简单地信任< img src = / media / user-uploaded-image.svg />
吗?
Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I simply trust <img src="/media/user-uploaded-image.svg" />
?
Wikipedia / Wikimedia Commons托管SVG文件。有谁知道他们采取了什么措施来防止SVG攻击?
Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?
推荐答案
Wikipedia / Wikimedia Commons托管了SVG文件。有谁知道他们采取了什么措施来防止SVG攻击?
Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?
他们通过单独的主机名(特别是<$ c $)提供上传的文件c> upload.wikimedia.org 。您可以跨站点脚本到自己喜欢的所有内容中,但是并不能为您带来任何收益:它与 en.wikipedia.org
的起源不同,并且不能
They serve the uploaded files from a separate hostname, specifically upload.wikimedia.org
. You can cross-site-script into there all you like but it doesn't get you anything: it lives in a different origin to en.wikipedia.org
and can't touch its cookies or interact with its script.
这最终是处理文件上传的唯一密封方法,这也是大多数大型公司所做的。彻底扫描允许您允许使用任意文件时存在的所有众多晦涩的XSS可能性实在太困难了。
This is ultimately the only airtight way to handle file uploads, and what most of the big players do. It is just too difficult to do a thorough scan for all the many obscure XSS possibilities that exist when you allow arbitrary files.
信任
< img src = / media / user-uploaded-image.svg />
?
< img>
的作用并不重要,用户可以直接直接导航到SVG地址,然后执行在网站的原始位置显示整页脚本。
It doesn't really matter what <img>
does—the user can simply be navigated directly to the SVG address and it'll execute script full-page in the site's origin.
这篇关于有什么方法可以使用户上传的SVG图像免受代码注入等的影响?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!