[PR #1583] [MERGED] Updated icon fetching. #3404

New Issue

Closed

opened 2025-10-09 18:22:49 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2025-10-09 18:22:49 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/1583
Author: @BlackDex
Created: 4/3/2021
Status: ✅ Merged
Merged: 4/6/2021
Merged by: @dani-garcia

Base: master ← Head: icon-updates

---

📝 Commits (1)

• 1d0eaac Updated icon fetching.

📊 Changes

1 file changed (+45 additions, -13 deletions)

View changed files

📝 src/api/icons.rs (+45 -13)

📄 Description

• Added image type checking, and prevent downloading non images.
  We didn't checked this before, which could in turn could allow someone
  to download an arbitrary file.
• This also prevents SVG images from being used, while they work on the
  web-vault and desktop client, they didn't on the mobile versions.
• Because of this image type checking we can return a valid file type
  instead of only 'x-icon' (which is still used as a fallback).
• Prevent rel values with icon-mask, these are not valid favicons.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/1583 **Author:** [@BlackDex](https://github.com/BlackDex) **Created:** 4/3/2021 **Status:** ✅ Merged **Merged:** 4/6/2021 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `master` ← **Head:** `icon-updates` --- ### 📝 Commits (1) - [`1d0eaac`](https://github.com/dani-garcia/vaultwarden/commit/1d0eaac260d251abed23106e6356cb07e5b6e994) Updated icon fetching. ### 📊 Changes **1 file changed** (+45 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `src/api/icons.rs` (+45 -13) </details> ### 📄 Description - Added image type checking, and prevent downloading non images. We didn't checked this before, which could in turn could allow someone to download an arbitrary file. - This also prevents SVG images from being used, while they work on the web-vault and desktop client, they didn't on the mobile versions. - Because of this image type checking we can return a valid file type instead of only 'x-icon' (which is still used as a fallback). - Prevent rel values with `icon-mask`, these are not valid favicons. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2025-10-09 18:22:49 +03:00

OVERLORD closed this issue 2025-10-09 18:22:50 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#3404