Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F12038
bug57550.patch
Public
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
bzimport
Nov 22 2014, 2:16 AM
2014-11-22 02:16:31 (UTC+0)
Size
3 KB
Referenced Files
None
Subscribers
None
bug57550.patch
View Options
From f43aae442d2756843842bfdaa1d3ec8dfd38b3a3 Mon Sep 17 00:00:00 2001
From: Chris Steipp <csteipp@wikimedia.org>
Date: Mon, 25 Nov 2013 16:26:49 -0800
Subject: [PATCH] SECURITY: Disallow stylesheets in svg
Bug: 57550
Change-Id: I80452f98048ef565d06b45f78d8baccdafdf6186
---
includes/libs/XmlTypeCheck.php | 31 ++++++++++++++++++++++++++++++-
includes/upload/UploadBase.php | 21 ++++++++++++++++++++-
2 files changed, 50 insertions(+), 2 deletions(-)
diff --git a/includes/libs/XmlTypeCheck.php b/includes/libs/XmlTypeCheck.php
index 92ca7d8..cdd4c56 100644
--- a/includes/libs/XmlTypeCheck.php
+++ b/includes/libs/XmlTypeCheck.php
@@ -40,6 +40,13 @@ class XmlTypeCheck {
public $rootElement = '';
/**
+ * Additional parsing options
+ */
+ private $parserOptions = array(
+ 'processing_instruction_handler' => '',
+ );
+
+ /**
* @param string $input a filename or string containing the XML element
* @param callable $filterCallback (optional)
* Function to call to do additional custom validity checks from the
@@ -48,9 +55,13 @@ class XmlTypeCheck {
* Filter should return 'true' to toggle on $this->filterMatch
* @param boolean $isFile (optional) indicates if the first parameter is a
* filename (default, true) or if it is a string (false)
+ * @param array $options list of additional parsing options:
+ * processing_instruction_handler: Callback for xml_set_processing_instruction_handler
*/
- function __construct( $input, $filterCallback = null, $isFile = true ) {
+ function __construct( $input, $filterCallback = null, $isFile = true, $options = array() ) {
$this->filterCallback = $filterCallback;
+ $this->parserOptions = array_merge( $this->parserOptions, $options );
+
if ( $isFile ) {
$this->validateFromFile( $input );
} else {
@@ -107,6 +118,12 @@ class XmlTypeCheck {
// case folding violates XML standard, turn it off
xml_parser_set_option( $parser, XML_OPTION_CASE_FOLDING, false );
xml_set_element_handler( $parser, array( $this, 'rootElementOpen' ), false );
+ if ( $this->parserOptions['processing_instruction_handler'] ) {
+ xml_set_processing_instruction_handler(
+ $parser,
+ array( $this, 'processingInstructionHandler' )
+ );
+ }
return $parser;
}
@@ -181,4 +198,16 @@ class XmlTypeCheck {
$this->filterMatch = true;
}
}
+
+ /**
+ * @param $parser
+ * @param $target
+ * @param $data
+ */
+ private function processingInstructionHandler( $parser, $target, $data ) {
+ if ( call_user_func( $this->parserOptions['processing_instruction_handler'], $target, $data ) ) {
+ // Filter hit!
+ $this->filterMatch = true;
+ }
+ }
}
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 183e7f3..a50bd6c 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1155,11 +1155,30 @@ abstract class UploadBase {
* @return bool
*/
protected function detectScriptInSvg( $filename ) {
- $check = new XmlTypeCheck( $filename, array( $this, 'checkSvgScriptCallback' ) );
+ $check = new XmlTypeCheck(
+ $filename,
+ array( $this, 'checkSvgScriptCallback' ),
+ true,
+ array( 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' )
+ );
return $check->filterMatch;
}
/**
+ * Callback to filter SVG Processing Instructions.
+ * @param $target string processing instruction name
+ * @param $data string processing instruction attribute and value
+ * @return bool (true if the filter identified something bad)
+ */
+ public static function checkSvgPICallback( $target, $data ) {
+ // Don't allow external stylesheets (bug 57550)
+ if ( preg_match( '/xml-stylesheet/i', $target) ) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
* @todo Replace this with a whitelist filter!
* @param $element string
* @param $attribs array
--
1.8.4
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11496
Default Alt Text
bug57550.patch (3 KB)
Attached To
Mode
T59550: SVG XSLT XSS
Attached
Detach File
Event Timeline
Log In to Comment