source: josm/trunk/src/com/kitfox/svg/ImageSVG.java@ 14082

Last change on this file since 14082 was 11526, checked in by Don-vip, 8 years ago

fix #14319 - CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

  • Property svn:eol-style set to native
File size: 10.3 KB
Line 
1/*
2 * SVG Salamander
3 * Copyright (c) 2004, Mark McKay
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or
7 * without modification, are permitted provided that the following
8 * conditions are met:
9 *
10 * - Redistributions of source code must retain the above
11 * copyright notice, this list of conditions and the following
12 * disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials
16 * provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
23 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
29 * OF THE POSSIBILITY OF SUCH DAMAGE.
30 *
31 * Mark McKay can be contacted at mark@kitfox.com. Salamander and other
32 * projects can be found at http://www.kitfox.com
33 *
34 * Created on February 20, 2004, 10:00 PM
35 */
36package com.kitfox.svg;
37
38import com.kitfox.svg.app.data.Handler;
39import com.kitfox.svg.xml.StyleAttribute;
40import java.awt.AlphaComposite;
41import java.awt.Composite;
42import java.awt.Graphics2D;
43import java.awt.geom.AffineTransform;
44import java.awt.geom.Point2D;
45import java.awt.geom.Rectangle2D;
46import java.awt.image.BufferedImage;
47import java.net.URI;
48import java.net.URL;
49import java.util.List;
50import java.util.logging.Level;
51import java.util.logging.Logger;
52
53/**
54 * Implements an image.
55 *
56 * @author Mark McKay
57 * @author <a href="mailto:mark@kitfox.com">Mark McKay</a>
58 */
59public class ImageSVG extends RenderableElement
60{
61 public static final String TAG_NAME = "image";
62
63 float x = 0f;
64 float y = 0f;
65 float width = 0f;
66 float height = 0f;
67// BufferedImage href = null;
68 URL imageSrc = null;
69 AffineTransform xform;
70 Rectangle2D bounds;
71
72 /**
73 * Creates a new instance of Font
74 */
75 public ImageSVG()
76 {
77 }
78
79 @Override
80 public String getTagName()
81 {
82 return TAG_NAME;
83 }
84
85 @Override
86 protected void build() throws SVGException
87 {
88 super.build();
89
90 StyleAttribute sty = new StyleAttribute();
91
92 if (getPres(sty.setName("x")))
93 {
94 x = sty.getFloatValueWithUnits();
95 }
96
97 if (getPres(sty.setName("y")))
98 {
99 y = sty.getFloatValueWithUnits();
100 }
101
102 if (getPres(sty.setName("width")))
103 {
104 width = sty.getFloatValueWithUnits();
105 }
106
107 if (getPres(sty.setName("height")))
108 {
109 height = sty.getFloatValueWithUnits();
110 }
111
112 try
113 {
114 if (getPres(sty.setName("xlink:href")))
115 {
116 URI src = sty.getURIValue(getXMLBase());
117 // CVE-2017-5617: Allow only data scheme
118 if ("data".equals(src.getScheme()))
119 {
120 imageSrc = new URL(null, src.toASCIIString(), new Handler());
121 }
122 }
123 } catch (Exception e)
124 {
125 throw new SVGException(e);
126 }
127
128 if (imageSrc != null)
129 {
130 diagram.getUniverse().registerImage(imageSrc);
131
132 //Set widths if not set
133 BufferedImage img = diagram.getUniverse().getImage(imageSrc);
134 if (img == null)
135 {
136 xform = new AffineTransform();
137 bounds = new Rectangle2D.Float();
138 return;
139 }
140
141 if (width == 0)
142 {
143 width = img.getWidth();
144 }
145 if (height == 0)
146 {
147 height = img.getHeight();
148 }
149
150 //Determine image xform
151 xform = new AffineTransform();
152 xform.translate(this.x, this.y);
153 xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
154 }
155
156 bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height);
157 }
158
159 public float getX()
160 {
161 return x;
162 }
163
164 public float getY()
165 {
166 return y;
167 }
168
169 public float getWidth()
170 {
171 return width;
172 }
173
174 public float getHeight()
175 {
176 return height;
177 }
178
179 @Override
180 void pick(Point2D point, boolean boundingBox, List<List<SVGElement>> retVec) throws SVGException
181 {
182 if (getBoundingBox().contains(point))
183 {
184 retVec.add(getPath(null));
185 }
186 }
187
188 @Override
189 void pick(Rectangle2D pickArea, AffineTransform ltw, boolean boundingBox, List<List<SVGElement>> retVec) throws SVGException
190 {
191 if (ltw.createTransformedShape(getBoundingBox()).intersects(pickArea))
192 {
193 retVec.add(getPath(null));
194 }
195 }
196
197 @Override
198 public void render(Graphics2D g) throws SVGException
199 {
200 StyleAttribute styleAttrib = new StyleAttribute();
201 if (getStyle(styleAttrib.setName("visibility")))
202 {
203 if (!styleAttrib.getStringValue().equals("visible"))
204 {
205 return;
206 }
207 }
208
209 if (getStyle(styleAttrib.setName("display")))
210 {
211 if (styleAttrib.getStringValue().equals("none"))
212 {
213 return;
214 }
215 }
216
217 beginLayer(g);
218
219 float opacity = 1f;
220 if (getStyle(styleAttrib.setName("opacity")))
221 {
222 opacity = styleAttrib.getRatioValue();
223 }
224
225 if (opacity <= 0)
226 {
227 return;
228 }
229
230 Composite oldComp = null;
231
232 if (opacity < 1)
233 {
234 oldComp = g.getComposite();
235 Composite comp = AlphaComposite.getInstance(AlphaComposite.SRC_OVER, opacity);
236 g.setComposite(comp);
237 }
238
239 BufferedImage img = diagram.getUniverse().getImage(imageSrc);
240 if (img == null)
241 {
242 return;
243 }
244
245 AffineTransform curXform = g.getTransform();
246 g.transform(xform);
247
248 g.drawImage(img, 0, 0, null);
249
250 g.setTransform(curXform);
251 if (oldComp != null)
252 {
253 g.setComposite(oldComp);
254 }
255
256 finishLayer(g);
257 }
258
259 @Override
260 public Rectangle2D getBoundingBox()
261 {
262 return boundsToParent(bounds);
263 }
264
265 /**
266 * Updates all attributes in this diagram associated with a time event. Ie,
267 * all attributes with track information.
268 *
269 * @return - true if this node has changed state as a result of the time
270 * update
271 */
272 @Override
273 public boolean updateTime(double curTime) throws SVGException
274 {
275// if (trackManager.getNumTracks() == 0) return false;
276 boolean changeState = super.updateTime(curTime);
277
278 //Get current values for parameters
279 StyleAttribute sty = new StyleAttribute();
280 boolean shapeChange = false;
281
282 if (getPres(sty.setName("x")))
283 {
284 float newVal = sty.getFloatValueWithUnits();
285 if (newVal != x)
286 {
287 x = newVal;
288 shapeChange = true;
289 }
290 }
291
292 if (getPres(sty.setName("y")))
293 {
294 float newVal = sty.getFloatValueWithUnits();
295 if (newVal != y)
296 {
297 y = newVal;
298 shapeChange = true;
299 }
300 }
301
302 if (getPres(sty.setName("width")))
303 {
304 float newVal = sty.getFloatValueWithUnits();
305 if (newVal != width)
306 {
307 width = newVal;
308 shapeChange = true;
309 }
310 }
311
312 if (getPres(sty.setName("height")))
313 {
314 float newVal = sty.getFloatValueWithUnits();
315 if (newVal != height)
316 {
317 height = newVal;
318 shapeChange = true;
319 }
320 }
321
322 try
323 {
324 if (getPres(sty.setName("xlink:href")))
325 {
326 URI src = sty.getURIValue(getXMLBase());
327
328 URL newVal = null;
329 // CVE-2017-5617: Allow only data scheme
330 if ("data".equals(src.getScheme()))
331 {
332 newVal = new URL(null, src.toASCIIString(), new Handler());
333 }
334
335 if (newVal != null && !newVal.equals(imageSrc))
336 {
337 imageSrc = newVal;
338 shapeChange = true;
339 }
340 }
341 } catch (IllegalArgumentException ie)
342 {
343 Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING,
344 "Image provided with illegal value for href: \""
345 + sty.getStringValue() + '"', ie);
346 } catch (Exception e)
347 {
348 Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING,
349 "Could not parse xlink:href", e);
350 }
351
352
353 if (shapeChange)
354 {
355 build();
356// diagram.getUniverse().registerImage(imageSrc);
357//
358// //Set widths if not set
359// BufferedImage img = diagram.getUniverse().getImage(imageSrc);
360// if (img == null)
361// {
362// xform = new AffineTransform();
363// bounds = new Rectangle2D.Float();
364// }
365// else
366// {
367// if (width == 0) width = img.getWidth();
368// if (height == 0) height = img.getHeight();
369//
370// //Determine image xform
371// xform = new AffineTransform();
372//// xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
373//// xform.translate(this.x, this.y);
374// xform.translate(this.x, this.y);
375// xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
376//
377// bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height);
378// }
379//
380// return true;
381 }
382
383 return changeState || shapeChange;
384 }
385}
Note: See TracBrowser for help on using the repository browser.