Page MenuHomePhabricator
Files F12038

bug57550.patch
Public
Actions

Authored By
bzimport
Nov 22 2014, 2:16 AM
Size
3 KB
Referenced Files
None
Subscribers
None

bug57550.patch
View Options

From f43aae442d2756843842bfdaa1d3ec8dfd38b3a3 Mon Sep 17 00:00:00 2001
From: Chris Steipp <csteipp@wikimedia.org>
Date: Mon, 25 Nov 2013 16:26:49 -0800
Subject: [PATCH] SECURITY: Disallow stylesheets in svg
Bug: 57550
Change-Id: I80452f98048ef565d06b45f78d8baccdafdf6186
---
includes/libs/XmlTypeCheck.php | 31 ++++++++++++++++++++++++++++++-
includes/upload/UploadBase.php | 21 ++++++++++++++++++++-
2 files changed, 50 insertions(+), 2 deletions(-)
diff --git a/includes/libs/XmlTypeCheck.php b/includes/libs/XmlTypeCheck.php
index 92ca7d8..cdd4c56 100644
--- a/includes/libs/XmlTypeCheck.php
+++ b/includes/libs/XmlTypeCheck.php
@@ -40,6 +40,13 @@ class XmlTypeCheck {
public $rootElement = '';
/**
+ * Additional parsing options
+ */
+ private $parserOptions = array(
+ 'processing_instruction_handler' => '',
+ );
+
+ /**
* @param string $input a filename or string containing the XML element
* @param callable $filterCallback (optional)
* Function to call to do additional custom validity checks from the
@@ -48,9 +55,13 @@ class XmlTypeCheck {
* Filter should return 'true' to toggle on $this->filterMatch
* @param boolean $isFile (optional) indicates if the first parameter is a
* filename (default, true) or if it is a string (false)
+ * @param array $options list of additional parsing options:
+ * processing_instruction_handler: Callback for xml_set_processing_instruction_handler
*/
- function __construct( $input, $filterCallback = null, $isFile = true ) {
+ function __construct( $input, $filterCallback = null, $isFile = true, $options = array() ) {
$this->filterCallback = $filterCallback;
+ $this->parserOptions = array_merge( $this->parserOptions, $options );
+
if ( $isFile ) {
$this->validateFromFile( $input );
} else {
@@ -107,6 +118,12 @@ class XmlTypeCheck {
// case folding violates XML standard, turn it off
xml_parser_set_option( $parser, XML_OPTION_CASE_FOLDING, false );
xml_set_element_handler( $parser, array( $this, 'rootElementOpen' ), false );
+ if ( $this->parserOptions['processing_instruction_handler'] ) {
+ xml_set_processing_instruction_handler(
+ $parser,
+ array( $this, 'processingInstructionHandler' )
+ );
+ }
return $parser;
}
@@ -181,4 +198,16 @@ class XmlTypeCheck {
$this->filterMatch = true;
}
}
+
+ /**
+ * @param $parser
+ * @param $target
+ * @param $data
+ */
+ private function processingInstructionHandler( $parser, $target, $data ) {
+ if ( call_user_func( $this->parserOptions['processing_instruction_handler'], $target, $data ) ) {
+ // Filter hit!
+ $this->filterMatch = true;
+ }
+ }
}
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 183e7f3..a50bd6c 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1155,11 +1155,30 @@ abstract class UploadBase {
* @return bool
*/
protected function detectScriptInSvg( $filename ) {
- $check = new XmlTypeCheck( $filename, array( $this, 'checkSvgScriptCallback' ) );
+ $check = new XmlTypeCheck(
+ $filename,
+ array( $this, 'checkSvgScriptCallback' ),
+ true,
+ array( 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' )
+ );
return $check->filterMatch;
}
/**
+ * Callback to filter SVG Processing Instructions.
+ * @param $target string processing instruction name
+ * @param $data string processing instruction attribute and value
+ * @return bool (true if the filter identified something bad)
+ */
+ public static function checkSvgPICallback( $target, $data ) {
+ // Don't allow external stylesheets (bug 57550)
+ if ( preg_match( '/xml-stylesheet/i', $target) ) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
* @todo Replace this with a whitelist filter!
* @param $element string
* @param $attribs array
--
1.8.4

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11496
Default Alt Text
bug57550.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits