Release notes Shopware 6.6.10.18
Abstract
This patch release contains security fixes. Please update to this patch release as soon as possible. If you cannot update immediately, it is highly recommended to use the Security Plugin.
Important information: potential breaking change
Although the underlying issue is low severity, this minor release introduces a security-related change that can be breaking in some cases:
SVG uploads are now validated against a stricter passive SVG allowlist before they are saved. Common presentation and accessibility attributes remain supported, but SVGs using unsupported markup, animations, scripts, event handlers, external references, "data:" URLs, or other active content may now be rejected.
If an extension or custom project is affected, the SVG should be simplified to use only passive markup. Alternatively, the accepted SVG subset can be adjusted on installation level via shopware.media.svg.allowed_elements, shopware.media.svg.allowed_attributes, and shopware.media.svg.allowed_reference_attributes in shopware.yaml.
System requirements
- tested on PHP 8.2 and 8.4
- tested on MySQL 8 and MariaDB 11
Improvements
(No notable improvements in this patch release)
Fixed bugs
Critical Fixes
SVG uploads validate against a strict passive allowlist
SVG uploads in the media subsystem are now validated against a strict passive SVG allowlist before persistence. Active content such as scripts, event handlers, processing instructions, external references, and URL-based references in attributes are rejected.
The default allowlist covers the W3C SVG2 presentation attribute set (https://www.w3.org/TR/SVG2/attindex.html#PresentationAttributes), ARIA accessibility attributes, the lang and xml:lang accessibility attributes, and the common safe structural elements a, image, marker, metadata, switch, symbol, and view. Anchor href / xlink:href references remain restricted to local document fragments (#id), so javascript:, data:, and remote URLs are rejected. Active content (scripts, event handlers, animations, foreign objects, processing instructions, DOCTYPEs, entities) and any external url(...) / @import references remain blocked regardless of the attribute that carries them.
The accepted SVG subset can be adjusted on installation level via shopware.media.svg.allowed_elements, shopware.media.svg.allowed_attributes, and shopware.media.svg.allowed_reference_attributes in shopware.yaml.
external-link endpoint URL validation aligned with upload-from-url
The URL validation for the external-link endpoint is now in line with the existing validation in the upload-from-url flow. The static MediaUploadService::validateExternalUrl() is deprecated in favour of the new assertValidExternalUrl() method on the service.
See UPGRADE-6.8.md for migration details.
All security bulletins for this security patch
- GHSA-gv8p-48fr-4fxg - Privilege Escalation via Sync API Integration Admin Flag Bypass
- GHSA-8v9p-g828-v98f - Admin Account Takeover via User Recovery Hash Exposure
- GHSA-7w52-7jvm-m9vw - Timing-attack on admin panel allowing enumeration of administrator usernames
- GHSA-v39m-97p8-gqg7 - Privilege escalation: non-admin user with user:create ACL can create admin accounts
- GHSA-4x3x-869w-xx3m - Shopware SSO referer trust leading to an arbitrary redirect target
- GHSA-f8q6-3g5w-jjr6 - Admin API ACL Bypass in Order State Transition Endpoints
- GHSA-9v5m-39wh-5chq - Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
- GHSA-xvhc-gm7j-mhmc - Stored XSS via SVG file upload - no SVG sanitization
- GHSA-gq96-5pfx-f4vc - SSRF in Media External-Link Endpoint Bypasses IP Validation
Credits
Thanks to all diligent friends for helping us make Shopware better and better with each pull request!
More resources
- Detailed diff on Github to the former version
- Installation overview
- Update from a previous installation
Get in touch
Discuss about decisions, bugs you might stumble upon, etc in our community discord. See you there 😉
