fix: perform SVG santitization on all file content which is pushed to… (#41433)

* fix: perform SVG santitization on all file content which is pushed to Imagick

* fix: apply max file size limits to class Bitmap

Author: DeepDiver1975

changelog/unreleased/41433

@@ -0,0 +1,6 @@
+Bugfix: Apply SVG sanitization to all file content before using ImageMagick
+
+Any file content is now sanitized for SVG threats before being processed by
+ImageMagick, preventing potential security vulnerabilities.
+
+https://github.com/owncloud/core/pull/41433

lib/private/Image/ImagickFactory.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace OC\Image;
+
+use Imagick;
+use ImagickException;
+
+class ImagickFactory {
+	/**
+	 * @param mixed $files <p>
+	 * The path to an image to load or an array of paths. Paths can include
+	 * wildcards for file names, or can be URLs.
+	 * </p>
+	 * @return Imagick
+	 * @throws ImagickException
+	 */
+	public static function create($files = null): Imagick {
+		$imagick = new Imagick($files);
+		$imagick->setOption('svg:sanitize', 'true');
+		$imagick->setOption('svg:embed', 'false');
+		$imagick->setOption('svg:decode', 'true');
+		return $imagick;
+	}
+
+}

lib/private/Preview.php

@@ -34,6 +34,7 @@
 use OC\Files\Filesystem;
 use OC\Files\View;
 use OCA\Files_Sharing\SharedMount;
+use OCP\Files\File;
 use OCP\Files\FileInfo;
 use OCP\Files\Folder;
 use OCP\Files\Node;
@@ -1081,6 +1082,22 @@ private function getPreviewPath($fileId = null) {
 		return $this->getThumbnailsFolder() . '/' . $fileId . '/';
 	}
 
+	/**
+	 * @param File $file
+	 * @return bool
+	 * @throws \OCP\Files\InvalidPathException
+	 * @throws \OCP\Files\NotFoundException
+	 */
+	public static function isImageFileSizeTooBig(File $file): bool {
+		$maxSizeForImages = \OC::$server->getConfig()->getSystemValue('preview_max_filesize_image', 50);
+		if ($maxSizeForImages === -1) {
+			return false;
+		}
+		$size = $file->getSize();
+
+		return $size > ($maxSizeForImages * 1024 * 1024);
+	}
+
 	/**
 	 * Asks the provider to send a preview of the file which respects the maximum dimensions
 	 * defined in the configuration and after saving it in the cache, it is then resized to the

lib/private/Preview/Bitmap.php

@@ -25,6 +25,7 @@
 namespace OC\Preview;
 
 use Imagick;
+use OC\Preview;
 use OCP\Files\File;
 use OCP\Files\FileInfo;
 use OCP\Preview\IProvider2;
@@ -40,6 +41,9 @@ abstract class Bitmap implements IProvider2 {
 	 * {@inheritDoc}
 	 */
 	public function getThumbnail(File $file, $maxX, $maxY, $scalingUp) {
+		if (Preview::isImageFileSizeTooBig($file)) {
+			return false;
+		}
 		$stream = $file->fopen('r');
 
 		// Creates \Imagick object from bitmap or vector file
@@ -78,13 +82,21 @@ public function isAvailable(FileInfo $file) {
 	 * @param int $maxX
 	 * @param int $maxY
 	 *
-	 * @return \Imagick
+	 * @return Imagick
 	 */
-	private function getResizedPreview($stream, $maxX, $maxY) {
+	private function getResizedPreview($stream, int $maxX, int $maxY): Imagick {
+		# file content can be SVG - we need to sanitize it first
+		$content = \stream_get_contents($stream);
+		$output = SVG::sanitizeSVGContent($content);
+		# in case the content is not an SVG we use the original content
+		if ($output === '') {
+			$output = $content;
+		}
+
 		$bp = new Imagick();
 
 		# setIteratorIndex(0) will make previews to be generated from the first page
-		$bp->readImageFile($stream);
+		$bp->readImageBlob($output);
 		$bp->setIteratorIndex(0);
 
 		$bp = $this->resize($bp, $maxX, $maxY);

lib/private/Preview/Image.php

@@ -26,6 +26,7 @@
  */
 namespace OC\Preview;
 
+use OC\Preview;
 use OCP\Files\File;
 use OCP\Files\FileInfo;
 use OCP\Preview\IProvider2;
@@ -35,13 +36,9 @@ abstract class Image implements IProvider2 {
 	 * {@inheritDoc}
 	 */
 	public function getThumbnail(File $file, $maxX, $maxY, $scalingUp) {
-		$maxSizeForImages = \OC::$server->getConfig()->getSystemValue('preview_max_filesize_image', 50);
-		$size = $file->getSize();
-
-		if ($maxSizeForImages !== -1 && $size > ($maxSizeForImages * 1024 * 1024)) {
+		if (Preview::isImageFileSizeTooBig($file)) {
 			return false;
 		}
-
 		$image = new \OC_Image();
 		$handle = $file->fopen('r');
 		$image->load($handle);

lib/private/Preview/Office.php

@@ -24,6 +24,7 @@
  */
 namespace OC\Preview;
 
+use OC\Image\ImagickFactory;
 use OCP\Files\File;
 use OCP\Files\FileInfo;
 use OCP\Preview\IProvider2;
@@ -60,22 +61,23 @@ public function getThumbnail(File $file, $maxX, $maxY, $scalingUp) {
 
 		\shell_exec($exec);
 
-		//create imagick object from pdf
+		//create imagick object from PDF
 		$pdfPreview = null;
 		try {
 			$pathInfo = \pathinfo($absPath);
 			$pdfPreview = $tmpDir . '/' . $pathInfo['filename'] . '.pdf';
 
-			$pdf = new \Imagick($pdfPreview . '[0]');
-			$pdf->setImageFormat('jpg');
+			# Note: no SVG sanitization of the file content required ....
+			$imagick = ImagickFactory::create($pdfPreview . '[0]');
+			$imagick->setImageFormat('jpg');
 		} catch (\Exception $e) {
 			@\unlink($pdfPreview);
 			\OCP\Util::writeLog('core', $e->getmessage(), \OCP\Util::ERROR);
 			return false;
 		}
 
 		$image = new \OC_Image();
-		$image->loadFromData($pdf);
+		$image->loadFromData($imagick);
 
 		\unlink($pdfPreview);
 

lib/private/Preview/SVG.php

@@ -23,6 +23,7 @@
  */
 namespace OC\Preview;
 
+use OC\Image\ImagickFactory;
 use OCP\Files\File;
 use OCP\Files\FileInfo;
 use OCP\Preview\IProvider2;
@@ -41,8 +42,8 @@ public function getMimeType() {
 	 */
 	public function getThumbnail(File $file, $maxX, $maxY, $scalingUp) {
 		try {
-			$svg = new \Imagick();
-			$svg->setBackgroundColor(new \ImagickPixel('transparent'));
+			$imagick = ImagickFactory::create();
+			$imagick->setBackgroundColor(new \ImagickPixel('transparent'));
 
 			$stream = $file->fopen('r');
 			$content = \stream_get_contents($stream);
@@ -54,16 +55,16 @@ public function getThumbnail(File $file, $maxX, $maxY, $scalingUp) {
 			# sanitize SVG content
 			$output = self::sanitizeSVGContent($content);
 
-			$svg->readImageBlob($output);
-			$svg->setImageFormat('png32');
+			$imagick->readImageBlob($output);
+			$imagick->setImageFormat('png32');
 		} catch (\Exception $e) {
 			\OCP\Util::writeLog('core', $e->getmessage(), \OCP\Util::ERROR);
 			return false;
 		}
 
 		//new image object
 		$image = new \OC_Image();
-		$image->loadFromData($svg);
+		$image->loadFromData($imagick);
 		//check if image object is valid
 		if ($image->valid()) {
 			$image->scaleDownToFit($maxX, $maxY);
@@ -84,6 +85,11 @@ public static function sanitizeSVGContent(string $content): string {
 		$sanitizer = new DOMSanitizer(DOMSanitizer::SVG);
 		$sanitizer->addDisallowedTags(['image']);
 		$sanitizer->addDisallowedAttributes(['xlink:href']);
-		return $sanitizer->sanitize($content);
+		$sanitized_content = $sanitizer->sanitize($content);
+
+		// XML errors are expected here if the SVG is malformed
+		\libxml_clear_errors();
+
+		return $sanitized_content;
 	}
 }

tests/lib/Preview/SVGTest.php

@@ -30,8 +30,7 @@
  */
 class SVGTest extends Provider {
 	public function setUp(): void {
-		$checkImagick = new \Imagick();
-		if (\count($checkImagick->queryFormats('SVG')) === 1) {
+		if (\count(\Imagick::queryFormats('SVG')) === 1) {
 			parent::setUp();
 
 			$fileName = 'testimagelarge.svg';

tests/lib/Preview/SanitizeTest.php

@@ -0,0 +1,65 @@
+<?php
+/**
+ * @author Thomas Müller <thomas.mueller@tmit.eu>
+ *
+ * @copyright Copyright (c) 2026, ownCloud GmbH
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace Test\Preview;
+
+use Generator;
+use OC\Preview\Bitmap;
+use OC\Preview\Font;
+use OC\Preview\PDF;
+use OCP\Files\File;
+use Test\TestCase;
+
+class SanitizeTest extends TestCase {
+	/**
+	 * @dataProvider providesSVG
+	 */
+	public function test(string $svgContent, Bitmap $provider): void {
+		if (\count(\Imagick::queryFormats('SVG')) === 0) {
+			$this->markTestSkipped('No SVG provider present');
+		}
+		# mock it all ....
+		$stream = fopen('php://memory', 'rb+');
+		fwrite($stream, $svgContent);
+		rewind($stream);
+		$file = $this->createMock(File::class);
+		$file->method('getContent')->willReturn($svgContent);
+		$file->method('fopen')->willReturn($stream);
+
+		# create the preview
+		$return = $provider->getThumbnail($file, 32, 32, false);
+
+		$this->assertImage(__DIR__ . '/white-32x32.png', $return);
+	}
+
+	public function providesSVG(): Generator {
+		$embeddedImagePath = __DIR__ . '/../../data/testimage.jpg';
+		$svgContent0 = <<<SVG
+<svg xmlns="http://www.w3.org/2000/svg" width="800" height="800">
+	<image href="$embeddedImagePath" width="400" height="400"></image>
+</svg>
+SVG;
+
+		# all Bitmap based providers use the same thumbnailing logic - two is enough ....
+		yield 'PDF provider' => [$svgContent0, new PDF()];
+		yield 'Font Provider' => [$svgContent0, new Font()];
+	}
+}