Project

General

Profile

Actions

Bug #93884

closed

fileadmin/.htaccess (resources-root-htaccess) partially blocks SVG files

Added by Marco H over 3 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2021-04-08
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
easy
Is Regression:
Sprint Focus:

Description

So with version 10.4.11, the file "resources-root-htaccess", which generates .htaccess inside fileadmin, has been updated to a stricter CSP.
This causes problems with SVG files uploaded since SVG files may contain style and script tags, also style attributes. The SVG may then be all black or lack animation.

Would the best approach be to match svg files (like it is done with pdf) and change the CSP?


Files

test.svg (1.53 KB) test.svg Marco H, 2021-05-14 21:08
resources-root-htaccess (1.89 KB) resources-root-htaccess Andreas Hager, 2021-08-19 17:57
svg-style.svg (921 Bytes) svg-style.svg Test SVG for CSP Oliver Hader, 2022-08-31 09:59

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #93035: fileadmin/.htaccess prevents Safari from accessing PDF files (after latest security update)Closed2020-12-09

Actions
Related to TYPO3 Core - Bug #100041: Unexpected warning in environment status check after new CSP default for svg files in resources root htaccessClosed2023-02-27

Actions
Has duplicate TYPO3 Core - Bug #95312: SVG Style-Tag CSP-Block / Firefox-BugClosed2021-09-22

Actions
Actions #1

Updated by Georg Ringer over 3 years ago

  • Related to Bug #93035: fileadmin/.htaccess prevents Safari from accessing PDF files (after latest security update) added
Actions #2

Updated by Georg Ringer over 3 years ago

  • Status changed from New to Needs Feedback

can you check if this is still the case in latest versions, after changes of #93035

Actions #3

Updated by Marco H over 3 years ago

Still an issue with 10.4.16

To reproduce the issue best, upload it in fileadmin and click on "show" (error not as reliably reproducible when used in img-tag).

I've attached an svg-file for testing, it causes a CSP inline style error:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-sC0BVe7Sre2mjplSlS8Lw5K2vnLaWV+cQjtuz6e2u+Y='), or a nonce ('nonce-...') is required to enable inline execution.

Actions #4

Updated by Andreas Hager over 3 years ago

Still an issue with TYPO3 v10.4.20

We have the same problem that our customers upload SVGs with inline styles and they are not allowed due to CSP rule.
We change the following code to allow inline styles for SVGs (complete file attached).

     <FilesMatch "\.pdf$">
         Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;" 
     </FilesMatch>
+    # matching requested *.svg files only (allow inline styles for SVGs)
+    <FilesMatch "\.svg$">
+        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'unsafe-inline'; object-src 'none';" 
+    </FilesMatch>
     # matching anything else, using negative lookbehind pattern
-    <FilesMatch "(?<!\.pdf)$">
+    <FilesMatch "(?<!\.(pdf|svg))$">
         Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';" 
     </FilesMatch>

Hope this helps! :)

Actions #5

Updated by Oliver Hader about 2 years ago

Using directive style-src 'unsafe-inline' for .svg files seems to be fine (not talking about inline SVG embedded in HTML - which is totally different).

Attached test file svg-style.svg tries to load external CSS resources (e.g. used for IP sniffing, data-privacy related). CSP still should block these kind of requests.

Actions #6

Updated by Gerrit Code Review about 2 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594

Actions #7

Updated by Gerrit Code Review about 2 years ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594

Actions #8

Updated by Gerrit Code Review about 2 years ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594

Actions #9

Updated by Sven Burkert almost 2 years ago

  • Priority changed from Should have to Must have
  • Complexity set to easy

@Andreas Hager Thank you:)
I'm wondering why this hasn't been implemented in TYPO3 yet. Every TYPO3 system is affected by this when using SVGs.
Why is the review taking so long?

Actions #10

Updated by Gerrit Code Review almost 2 years ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594

Actions #11

Updated by Oliver Hader almost 2 years ago

  • Related to Bug #95312: SVG Style-Tag CSP-Block / Firefox-Bug added
Actions #12

Updated by Oliver Hader almost 2 years ago

  • Related to deleted (Bug #95312: SVG Style-Tag CSP-Block / Firefox-Bug)
Actions #13

Updated by Oliver Hader almost 2 years ago

  • Has duplicate Bug #95312: SVG Style-Tag CSP-Block / Firefox-Bug added
Actions #14

Updated by Oliver Hader almost 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #15

Updated by Gerrit Code Review almost 2 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77456

Actions #16

Updated by Gerrit Code Review almost 2 years ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77457

Actions #17

Updated by Oliver Hader almost 2 years ago

  • Status changed from Under Review to Resolved
Actions #18

Updated by Benni Mack almost 2 years ago

  • Status changed from Resolved to Closed
Actions #19

Updated by Georg Ringer over 1 year ago

  • Related to Bug #100041: Unexpected warning in environment status check after new CSP default for svg files in resources root htaccess added
Actions

Also available in: Atom PDF