Changeset 11526 in josm for trunk/src/com/kitfox

Timestamp:

2017-02-02T01:22:52+01:00 (8 years ago)

Author:

Don-vip

Message:

fix #14319 - CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

File:

• trunk/src/com/kitfox/svg/ImageSVG.java (modified) (3 diffs)

trunk/src/com/kitfox/svg/ImageSVG.java

@@ -115 +115 @@
             {
                 URI src = sty.getURIValue(getXMLBase());
+                // CVE-2017-5617: Allow only data scheme
                 if ("data".equals(src.getScheme()))
                 {
                     imageSrc = new URL(null, src.toASCIIString(), new Handler());
-                } else
-                {
-                    try
-                    {
-                        imageSrc = src.toURL();
-                    } catch (Exception e)
-                    {
-                        Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING,
-                            "Could not parse xlink:href " + src, e);
-//                        e.printStackTrace();
-                        imageSrc = null;
-                    }
                 }
             }
@@ -137 +126 @@
         }
 
-        diagram.getUniverse().registerImage(imageSrc);
-
-        //Set widths if not set
-        BufferedImage img = diagram.getUniverse().getImage(imageSrc);
-        if (img == null)
-        {
+        if (imageSrc != null)
+        {
+            diagram.getUniverse().registerImage(imageSrc);
+
+            //Set widths if not set
+            BufferedImage img = diagram.getUniverse().getImage(imageSrc);
+            if (img == null)
+            {
+                xform = new AffineTransform();
+                bounds = new Rectangle2D.Float();
+                return;
+            }
+
+            if (width == 0)
+            {
+                width = img.getWidth();
+            }
+            if (height == 0)
+            {
+                height = img.getHeight();
+            }
+
+            //Determine image xform
             xform = new AffineTransform();
-            bounds = new Rectangle2D.Float();
-            return;
-        }
-
-        if (width == 0)
-        {
-            width = img.getWidth();
-        }
-        if (height == 0)
-        {
-            height = img.getHeight();
-        }
-
-        //Determine image xform
-        xform = new AffineTransform();
-//        xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
-//        xform.translate(this.x, this.y);
-        xform.translate(this.x, this.y);
-        xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
+            xform.translate(this.x, this.y);
+            xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
+        }
 
         bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height);
@@ -336 +326 @@
                 URI src = sty.getURIValue(getXMLBase());
 
-                URL newVal;
+                URL newVal = null;
+                // CVE-2017-5617: Allow only data scheme
                 if ("data".equals(src.getScheme()))
                 {
                     newVal = new URL(null, src.toASCIIString(), new Handler());
-                } else
-                {
-                    newVal = src.toURL();
                 }
 
-                if (!newVal.equals(imageSrc))
+                if (newVal != null && !newVal.equals(imageSrc))
                 {
                     imageSrc = newVal;