Check for svg files containing scripts at startup

daemon.py

@@ -304,6 +304,7 @@ from cache import storePersonInCache
 from cache import getPersonFromCache
 from cache import getPersonPubKey
 from httpsig import verifyPostHeaders
+from theme import scanThemesForScripts
 from theme import importTheme
 from theme import exportTheme
 from theme import isNewsThemeName
@@ -16479,6 +16480,9 @@ def runDaemon(defaultReplyIntervalHours: int,
         print('serverAddress: ' + str(serverAddress))
         return False
 
+    # scan the theme directory for any svg files containing scripts
+    scanThemesForScripts(baseDir)
+
     # initialize authorized fetch key
     httpd.signingPrivateKeyPem = None
 

tests.py

@@ -42,6 +42,7 @@ from follow import clearFollowers
 from follow import sendFollowRequestViaServer
 from follow import sendUnfollowRequestViaServer
 from siteactive import siteIsActive
+from utils import dangerousSVG
 from utils import canReplyTo
 from utils import isGroupAccount
 from utils import getActorLanguagesList
@@ -70,7 +71,6 @@ from utils import getStatusNumber
 from utils import getFollowersOfPerson
 from utils import removeHtml
 from utils import dangerousMarkup
-from utils import dangerousSVG
 from utils import acctDir
 from pgp import extractPGPPublicKey
 from pgp import pgpPublicKeyUpload
@@ -127,6 +127,7 @@ from content import removeTextFormatting
 from content import removeHtmlTag
 from theme import updateDefaultThemesList
 from theme import setCSSparam
+from theme import scanThemesForScripts
 from linked_data_sig import generateJsonSignature
 from linked_data_sig import verifyJsonSignature
 from newsdaemon import hashtagRuleTree
@@ -3442,19 +3443,7 @@ def _testDangerousSVG() -> None:
     assert dangerousSVG(svgContent, False)
 
     baseDir = os.getcwd()
-    for subdir, dirs, files in os.walk(baseDir + '/theme'):
+    scanThemesForScripts(baseDir)
-        for f in files:
-            if not f.endswith('.svg'):
-                continue
-            svgFilename = os.path.join(subdir, f)
-            content = ''
-            with open(svgFilename, 'r') as fp:
-                content = fp.read()
-            svgDangerous = dangerousCSS(content, False)
-            if svgDangerous:
-                print('svg file contains script: ' + svgFilename)
-            assert not svgDangerous
-        # deliberately no break - should resursively scan
 
 
 def _testDangerousMarkup():

theme.py

@@ -14,6 +14,7 @@ from utils import saveJson
 from utils import getImageExtensions
 from utils import copytree
 from utils import acctDir
+from utils import dangerousSVG
 from shutil import copyfile
 from shutil import make_archive
 from shutil import unpack_archive
@@ -826,3 +827,21 @@ def updateDefaultThemesList(baseDir: str) -> None:
     with open(defaultThemesFilename, 'w+') as defaultThemesFile:
         for name in themeNames:
             defaultThemesFile.write(name + '\n')
+
+
+def scanThemesForScripts(baseDir: str) -> None:
+    """Scans the theme directory for any svg files containing scripts
+    """
+    for subdir, dirs, files in os.walk(baseDir + '/theme'):
+        for f in files:
+            if not f.endswith('.svg'):
+                continue
+            svgFilename = os.path.join(subdir, f)
+            content = ''
+            with open(svgFilename, 'r') as fp:
+                content = fp.read()
+            svgDangerous = dangerousSVG(content, False)
+            if svgDangerous:
+                print('svg file contains script: ' + svgFilename)
+            assert not svgDangerous
+        # deliberately no break - should resursively scan