Impact
A malicious user can upload an SVG image containing JavaScript to their server. When matrix-media-repo is asked to serve that media via the /_matrix/media/(r0|v3)/download endpoint, it would be served with a Content-Disposition of inline. This can allow JavaScript to run in the browser if a client links to the /download endpoint directly.
Server operators which do not share a domain between matrix-media-repo and other services are not affected, but are encouraged to upgrade regardless.
Patches
77ec235 and bf8abdd fix the issue. Operators should upgrade to v1.3.0 as soon as possible.
Workarounds
The Content-Disposition header can be overridden by the reverse proxy in front of matrix-media-repo to always use attachment, defeating this issue at the cost of "worse" user experience when clicking download links.
References
https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script
joshqou Finder
Impact
A malicious user can upload an SVG image containing JavaScript to their server. When matrix-media-repo is asked to serve that media via the
/_matrix/media/(r0|v3)/downloadendpoint, it would be served with aContent-Dispositionofinline. This can allow JavaScript to run in the browser if a client links to the/downloadendpoint directly.Server operators which do not share a domain between matrix-media-repo and other services are not affected, but are encouraged to upgrade regardless.
Patches
77ec235 and bf8abdd fix the issue. Operators should upgrade to v1.3.0 as soon as possible.
Workarounds
The
Content-Dispositionheader can be overridden by the reverse proxy in front of matrix-media-repo to always useattachment, defeating this issue at the cost of "worse" user experience when clicking download links.References
https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script