]> git.p6c8.net - jirafeau.git/commit
git.p6c8.net / jirafeau.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e1740d8) | patch
Made check for MIME type "image/svg+xml" case insensitive
authorPatrick Canterino <patrick@patrick-canterino.de>
Sun, 1 Dec 2024 14:05:34 +0000 (15:05 +0100)
committerPatrick Canterino <patrick@patrick-canterino.de>
Sun, 1 Dec 2024 14:05:34 +0000 (15:05 +0100)
commit6cfca8753d54e2025c6020b2af32529e25f58c66
tree28a7c0b0fbcf7ec9b95956ed314ee952e7f4efc4tree | snapshot
parente1740d86dfd1ee8c5bc02321984e6666bc71266fcommit | diff
Made check for MIME type "image/svg+xml" case insensitive

It was possible to bypass this check by sending a manipulated HTTP request with a MIME type like "image/svg+XML".
This check was originally implemented to address CVE-2022-30110.

Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Georges TAUPIN (jo) (https://www.georgestaupin.com/)
lib/functions.php diff | blob | history
My fork of Jirafeau

patrick-canterino.de