1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

As Designed Image Proxy didn't work on Images with .webp extension

Discussion in 'Resolved Bug Reports' started by RoldanLT, Feb 5, 2014.

  1. RoldanLT

    RoldanLT Well-Known Member

  2. Mike

    Mike XenForo Developer Staff Member

    I responded elsewhere that this is intentional - we only allow PNG, GIF, and JPEG and we do basic verification on them.
     
  3. Moshe1010

    Moshe1010 Well-Known Member

    Is it possible to extend (let's say with an add-on) the image proxy to support different formats?
     
  4. RoldanLT

    RoldanLT Well-Known Member

    What :(
    And Why?
    Whats wrong with that extension?
    @digitalpoint addon support that perfectly :(
     
  5. Jeremy P

    Jeremy P Well-Known Member

    Yeah I don't see why you wouldn't support more formats out of the box. Seems silly and really easy to implement.
     
    p4guru and RoldanLT like this.
  6. digitalpoint

    digitalpoint Well-Known Member

  7. p4guru

    p4guru Well-Known Member

    Yeah i use webp images too (ngx_pagespeed auto converted png images) so would be nice to support webp. :)
     
  8. Mike

    Mike XenForo Developer Staff Member

    Well, silent re-encoding isn't relevant -- that's done based on the Accept header so it wouldn't apply.

    In general, there are some potential security considerations here. We also don't want arbitrary content cached (so we do basic image verification). Worth noting that WebP isn't covered by getimagesize() (nor is SVG, but that's a bit different).

    In terms of security, SVG can include JS (see https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf). Since it's being proxied, it would then run in the context of your forum. That's an XSS right there.
     
  9. digitalpoint

    digitalpoint Well-Known Member

    SVG can include JavaScript, but that JS will never execute if the SVG is rendered with an IMG tag. You more or less need to implicitly allow it by embedding it with an OBJECT tag. Because as you point out, imagine what sort of nastiness people could pull with it... Could replace people's AdSense or something.

    I actually needed embedded JS in SVG for something legit (just for some manipulation of the image itself) and it was driving me crazy how it would work until it was an embedded image. Then figured out browsers disable it when using IMG tag (for good reason).

    http://www.schepers.cc/svg/blendups/embedding.html
     
    lol768 likes this.
  10. Mike

    Mike XenForo Developer Staff Member

    The browser executes the JS if you visit the URL directly though, so it's still an XSS unfortunately...
     
  11. digitalpoint

    digitalpoint Well-Known Member

    True, but so does any web page. If you follow a link to my website, JS will get executed. Would that be any different?

    Not sure how that would be an XSS anymore than visiting any page via a link because the JS would run only when it's outside the scope of the page you clicked the link from. Maybe I'm missing something?
     
  12. Mike

    Mike XenForo Developer Staff Member

    It's not really about manipulating the page, but stealing data or whatever you want with an XSS. Since the image is proxied, it's run in your site's security context, which means that an Ajax request could be made to your forum (which means getting the CSRF token and then making any request they potentially want). You just need to "trick" someone to viewing the image directly.
     
  13. digitalpoint

    digitalpoint Well-Known Member

    Hmmm... Have you tested this with SVG attachments by chance?
     
  14. Mike

    Mike XenForo Developer Staff Member

    We only allow a whitelisted set of content types to be displayed inline (not including SVG).

    Actually, looks like I may have made a mistake in my test. It doesn't seem to work as simply as I thought. You may be able to get the uploaded SVG embedded in a context where script does run (object, iframe, etc) and I would imagine it'd be running in the served domain context, though I'd have to confirm this.

    SVG most definitely has been an attack vector before -- GMail was bitten by it, for example (involved code running in their domain context).
     
  15. Null

    Null Well-Known Member

    http://www.tapper-ware.net/blog/?p=184.
     
  16. digitalpoint

    digitalpoint Well-Known Member

    Ya, I didn't mean an attachment being inserted inline, rather an SVG attachment existing in your domain and becoming an XSS issue like you mentioned by someone visiting the attachment URL. Haven't looked into it myself (just on cell phone at the moment)
     
  17. Mike

    Mike XenForo Developer Staff Member

    We just send application/octet-stream, which the browser saves. (Fortunately, MIME sniffing is mostly over.

    A bit more playing and I'm pretty sure I can XSS with SVG. I think my test document just had some mistakes/over-simplifications.
     
  18. RoldanLT

    RoldanLT Well-Known Member

    Ow :)
    .webp images are already supported :)
    Thanks @Mike
     
  19. RoldanLT

    RoldanLT Well-Known Member

    But not all .webp works. :rolleyes:
     
  20. RoldanLT

    RoldanLT Well-Known Member

    Still not working on .webp images generated by ngx_pagespeed.
    Test: [​IMG]
     

Share This Page