Page MenuHomePhabricator
Files F103791

T86711-REL1_19.patch
csteipp (Chris Steipp)
Actions

Authored By
csteipp
Mar 24 2015, 10:51 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T86711-REL1_19.patch
View Options

From 7cc9e822fe67d8c829162603c16b5acf2f3e7893 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Tue, 13 Jan 2015 16:48:01 -0800
Subject: [PATCH] SECURITY: Fix animate blacklist
The blacklist should prevent animating any element's xlink:href to a
javascript url.
Bug: T86711
Change-Id: Ia9e9192165fdfe1701f22605eee0b0e5c9137d5a
---
includes/upload/UploadBase.php | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index db96ca3..06375f8 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1222,11 +1222,10 @@ abstract class UploadBase {
}
}
- # Change href with animate from (http://html5sec.org/#137). This doesn't seem
- # possible without embedding the svg, but filter here in case.
- if ( $stripped == 'from'
+ # Change href with animate from (http://html5sec.org/#137).
+ if ( $stripped === 'attributename'
&& $strippedElement === 'animate'
- && !preg_match( '!^https?://!im', $value )
+ && $this->stripXmlNamespace( $value ) == 'href'
) {
wfDebug( __METHOD__ . ": Found animate that might be changing href using from "
. "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" );
--
1.8.4.5

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
100697
Default Alt Text
T86711-REL1_19.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits