commit f14e3809930c781028aa2ba38f56a82f168e5d76
Author: Hugh Davenport <hugh@catalyst.net.nz>
Date:   Fri Oct 5 12:07:43 2012 +1300

    Escape user uploaded SVG files
    
    Bug #1061980
    CVE-2012-2247
    
    Before this patch, if a user uploaded HTML or XML files
    then tried to download them, or linked other users to download
    them, they would be presented with an escaped version along
    with a link to download the original.
    
    Unfortunately, an SVG file can possibly contain unsecure content,
    such as javascript, that would be run on the victims browser.
    
    This patch adds SVG files (image/svg+xml) to the list of files
    to not display by default.
    
    Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
    Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
index 19c7bf9..e0199b9 100644
--- a/htdocs/lib/file.php
+++ b/htdocs/lib/file.php
@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
     $lastmodified = filemtime($path);
     $filesize     = filesize($path);
 
-    if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') {
+    if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml' || $mimetype == 'image/svg+xml') {
         if (isset($options['downloadurl']) && $filesize < 1024 * 1024) {
             display_cleaned_html(file_get_contents($path), $filename, $options);
             exit;