From 850973487a41a4c292faf05d9cdb94d3539637b5 Mon Sep 17 00:00:00 2001 From: M66B Date: Sat, 9 Jul 2022 09:13:45 +0200 Subject: [PATCH] Prevent SVG security issues --- app/src/main/java/eu/faircode/email/AdapterImage.java | 4 +++- app/src/main/java/eu/faircode/email/ImageHelper.java | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/app/src/main/java/eu/faircode/email/AdapterImage.java b/app/src/main/java/eu/faircode/email/AdapterImage.java index 796e9219b5..42bcccfb2c 100644 --- a/app/src/main/java/eu/faircode/email/AdapterImage.java +++ b/app/src/main/java/eu/faircode/email/AdapterImage.java @@ -126,7 +126,9 @@ public class AdapterImage extends RecyclerView.Adapter Log.w(ex); } - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && + !"image/svg+xml".equals(type) && + !"svg".equals(Helper.getExtension(file.getName()))) try { return ImageHelper.getScaledDrawable(context, file, type, max); } catch (Throwable ex) { diff --git a/app/src/main/java/eu/faircode/email/ImageHelper.java b/app/src/main/java/eu/faircode/email/ImageHelper.java index b320ff430c..d39bd02c3c 100644 --- a/app/src/main/java/eu/faircode/email/ImageHelper.java +++ b/app/src/main/java/eu/faircode/email/ImageHelper.java @@ -285,6 +285,11 @@ class ImageHelper { @NonNull static Bitmap renderSvg(InputStream is, int fillColor, int scaleToPixels) throws IOException { try { + // https://bugzilla.mozilla.org/show_bug.cgi?id=455100 + // https://bug1105796.bmoattachments.org/attachment.cgi?id=8529795 + // https://github.com/BigBadaboom/androidsvg/issues/122#issuecomment-361902061 + SVG.setInternalEntitiesEnabled(false); + SVG svg = SVG.getFromInputStream(is); float w = svg.getDocumentWidth(); float h = svg.getDocumentHeight();