Prevent SVG security issues

2025-03-15 08:29:24 +00:00 · 2022-07-09 09:13:45 +02:00 · 2022-07-09 09:13:45 +02:00 · 850973487a
commit 850973487a
parent 638f9c1a22
2 changed files with 8 additions and 1 deletions
--- a/app/src/main/java/eu/faircode/email/AdapterImage.java
+++ b/app/src/main/java/eu/faircode/email/AdapterImage.java
@ -126,7 +126,9 @@ public class AdapterImage extends RecyclerView.Adapter<AdapterImage.ViewHolder>
                            Log.w(ex);
                        }

-                        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P)
+                        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P &&
+                                !"image/svg+xml".equals(type) &&
+                                !"svg".equals(Helper.getExtension(file.getName())))
                            try {
                                return ImageHelper.getScaledDrawable(context, file, type, max);
                            } catch (Throwable ex) {
--- a/app/src/main/java/eu/faircode/email/ImageHelper.java
+++ b/app/src/main/java/eu/faircode/email/ImageHelper.java
@ -285,6 +285,11 @@ class ImageHelper {
    @NonNull
    static Bitmap renderSvg(InputStream is, int fillColor, int scaleToPixels) throws IOException {
        try {
+            // https://bugzilla.mozilla.org/show_bug.cgi?id=455100
+            // https://bug1105796.bmoattachments.org/attachment.cgi?id=8529795
+            // https://github.com/BigBadaboom/androidsvg/issues/122#issuecomment-361902061
+            SVG.setInternalEntitiesEnabled(false);
+
            SVG svg = SVG.getFromInputStream(is);
            float w = svg.getDocumentWidth();
            float h = svg.getDocumentHeight();