Security: Filter SVG files uploaded from social network

See advisory GHSA-2vq2-826h-6hp6

Author: AngelFQC

main/inc/lib/document.lib.php

@@ -3,6 +3,7 @@
 /* For licensing terms, see /license.txt */
 
 use ChamiloSession as Session;
+use enshrined\svgSanitize\Sanitizer;
 
 /**
  *  Class DocumentManager
@@ -486,6 +487,13 @@ public static function file_send_for_download(
                 }
                 echo $content;
             } else {
+                if ('image/svg+xml' === $contentType) {
+                    $svgContent = file_get_contents($full_file_name);
+
+                    echo (new Sanitizer())->sanitize($svgContent);
+                    return true;
+                }
+
                 if (isset($enableMathJaxScript) && $enableMathJaxScript === true) {
                     $content = file_get_contents($full_file_name);
                     $content = self::includeMathJaxScript($content);

main/inc/lib/message.lib.php

@@ -1097,6 +1097,10 @@ public static function saveMessageAttachmentFile(
                         $fileCopied = true;
                     }
                 }
+
+                if ('image/svg+xml' === $type) {
+                    sanitizeSvgFile($new_path);
+                }
             }
 
             if ($fileCopied) {

main/social/download.php

@@ -9,6 +9,9 @@
  *
  * @package chamilo.messages
  */
+
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
+
 session_cache_limiter('public');
 
 require_once __DIR__.'/../inc/global.inc.php';
@@ -20,8 +23,10 @@
 header('Cache-Control: public');
 header('Pragma: no-cache');
 
-$messageId = isset($_GET['message_id']) ? $_GET['message_id'] : 0;
-$attachmentId = isset($_GET['attachment_id']) ? $_GET['attachment_id'] : 0;
+$httpRequest = HttpRequest::createFromGlobals();
+
+$messageId = $httpRequest->query->getInt('message_id');
+$attachmentId = $httpRequest->query->getInt('attachment_id');
 
 $messageInfo = MessageManager::get_message_by_id($messageId);
 $attachmentInfo = MessageManager::getAttachment($attachmentId);