Updated icon fetching. #2516

New Issue

MrUnknownDE · 2026-04-06T03:46:17+02:00

MrUnknownDE commented

2026-04-06 03:46:17 +02:00

Originally created by @BlackDex on 4/3/2021

Added image type checking, and prevent downloading non images.
We didn't checked this before, which could in turn could allow someone
to download an arbitrary file.
This also prevents SVG images from being used, while they work on the
web-vault and desktop client, they didn't on the mobile versions.
Because of this image type checking we can return a valid file type
instead of only 'x-icon' (which is still used as a fallback).
Prevent rel values with icon-mask, these are not valid favicons.

*Originally created by @BlackDex on 4/3/2021* - Added image type checking, and prevent downloading non images. We didn't checked this before, which could in turn could allow someone to download an arbitrary file. - This also prevents SVG images from being used, while they work on the web-vault and desktop client, they didn't on the mobile versions. - Because of this image type checking we can return a valid file type instead of only 'x-icon' (which is still used as a fallback). - Prevent rel values with `icon-mask`, these are not valid favicons.

MrUnknownDE closed this issue

2026-04-06 03:46:17 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#2516