默认禁止上传SVG格式图片，以避免svg图片的xss攻击

2021-09-03 10:27:03 +08:00 · 2021-09-03 10:27:03 +08:00 · 00c26e9c7c
commit 00c26e9c7c
parent a33886e858
2 changed files with 2 additions and 1 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -3,6 +3,7 @@
 ### v0.7.1 2021-09

 - [修复]用户上传文件中yaml加载的安全漏洞；
+- [优化]默认禁止上传SVG图片（有安全风险）；


 ### v0.7.0 2021-08-31
--- a/MrDoc/settings.py
+++ b/MrDoc/settings.py
@ -195,7 +195,7 @@ MEDIA_URL = '/media/'
 MEDIA_ROOT = os.path.join(BASE_DIR,'media')

 # 允许上传的图片后缀
-ALLOWED_IMG = CONFIG.get("image_upload","suffix_name",fallback="jpg,jpeg,gif,png,bmp,webp,svg").split(",")
+ALLOWED_IMG = CONFIG.get("image_upload","suffix_name",fallback="jpg,jpeg,gif,png,bmp,webp").split(",")


 REST_FRAMEWORK = {