From 1aa2993bccf4857c25daf00b2d26f4d2dcedaacc Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 19 Dec 2021 12:32:01 +0000
Subject: [PATCH] Check svg favicons for dangerous scripts

favicons typically are not svg format, but theoretically it could happen
---
 newswire.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/newswire.py b/newswire.py
index 51c64c359..5277f3382 100644
--- a/newswire.py
+++ b/newswire.py
@@ -18,6 +18,7 @@ from datetime import timezone
 from collections import OrderedDict
 from utils import validPostDate
 from categories import setHashtagCategory
+from utils import dangerousSVG
 from utils import getFavFilenameFromUrl
 from utils import getBaseContentFromPost
 from utils import hasObjectDict
@@ -176,6 +177,11 @@ def _downloadNewswireFeedFavicon(session, baseDir: str,
     if not os.path.isdir(baseDir + '/favicons'):
         os.mkdir(baseDir + '/favicons')
 
+    # check svg for dubious scripts
+    if favUrl.endswith('.svg'):
+        if dangerousSVG(imageData, False):
+            return False
+
     # save to the cache
     favFilename = getFavFilenameFromUrl(baseDir, favUrl)
     if os.path.isfile(favFilename):
@@ -186,6 +192,7 @@ def _downloadNewswireFeedFavicon(session, baseDir: str,
     except OSError:
         print('EX: failed writing favicon ' + favFilename)
         return False
+
     return True