Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F12040
bug57550_121.patch
Public
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
bzimport
Nov 22 2014, 2:16 AM
2014-11-22 02:16:31 (UTC+0)
Size
3 KB
Referenced Files
None
Subscribers
None
bug57550_121.patch
View Options
From d75c3d9226cfe9158dc696570c972b8f23c44533 Mon Sep 17 00:00:00 2001
From: mglaser <glaser@hallowelt.biz>
Date: Tue, 7 Jan 2014 01:37:45 +0100
Subject: [PATCH] SECURITY: Disallow stylesheets in svg
Bug: 57550
Change-Id: I114d040314be6c31ec1f7dbbba0b6760e95b3f86
---
includes/XmlTypeCheck.php | 31 ++++++++++++++++++++++++++++++-
includes/upload/UploadBase.php | 20 +++++++++++++++++++-
2 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/includes/XmlTypeCheck.php b/includes/XmlTypeCheck.php
index 2e18460..6a6884b 100644
--- a/includes/XmlTypeCheck.php
+++ b/includes/XmlTypeCheck.php
@@ -40,15 +40,25 @@ class XmlTypeCheck {
public $rootElement = '';
/**
+ * Additional parsing options
+ */
+ private $parserOptions = array(
+ 'processing_instruction_handler' => '',
+ );
+
+ /**
* @param string $file filename
* @param $filterCallback callable (optional)
* Function to call to do additional custom validity checks from the
* SAX element handler event. This gives you access to the element
* namespace, name, and attributes, but not to text contents.
* Filter should return 'true' to toggle on $this->filterMatch
+ * @param array $options list of additional parsing options:
+ * processing_instruction_handler: Callback for xml_set_processing_instruction_handler
*/
- function __construct( $file, $filterCallback=null ) {
+ function __construct( $file, $filterCallback=null, $options=array() ) {
$this->filterCallback = $filterCallback;
+ $this->parserOptions = array_merge( $this->parserOptions, $options );
$this->run( $file );
}
@@ -72,6 +82,13 @@ class XmlTypeCheck {
xml_set_element_handler( $parser, array( $this, 'rootElementOpen' ), false );
+ if ( $this->parserOptions['processing_instruction_handler'] ) {
+ xml_set_processing_instruction_handler(
+ $parser,
+ array( $this, 'processingInstructionHandler' )
+ );
+ }
+
if ( file_exists( $fname ) ) {
$file = fopen( $fname, "rb" );
if ( $file ) {
@@ -123,4 +140,16 @@ class XmlTypeCheck {
$this->filterMatch = true;
}
}
+
+ /**
+ * @param $parser
+ * @param $target
+ * @param $data
+ */
+ private function processingInstructionHandler( $parser, $target, $data ) {
+ if ( call_user_func( $this->parserOptions['processing_instruction_handler'], $target, $data ) ) {
+ // Filter hit!
+ $this->filterMatch = true;
+ }
+ }
}
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index e72669d..9eff0f9 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1148,7 +1148,11 @@ abstract class UploadBase {
* @return bool
*/
protected function detectScriptInSvg( $filename ) {
- $check = new XmlTypeCheck( $filename, array( $this, 'checkSvgScriptCallback' ) );
+ $check = new XmlTypeCheck(
+ $filename,
+ array( $this, 'checkSvgScriptCallback' ),
+ array( 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' )
+ );
return $check->filterMatch;
}
@@ -1253,6 +1257,20 @@ abstract class UploadBase {
return false; //No scripts detected
}
+
+ /**
+ * Callback to filter SVG Processing Instructions.
+ * @param $target string processing instruction name
+ * @param $data string processing instruction attribute and value
+ * @return bool (true if the filter identified something bad)
+ */
+ public static function checkSvgPICallback( $target, $data ) {
+ // Don't allow external stylesheets (bug 57550)
+ if ( preg_match( '/xml-stylesheet/i', $target) ) {
+ return true;
+ }
+ return false;
+ }
/**
* @param $name string
--
1.8.4.msysgit.0
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11498
Default Alt Text
bug57550_121.patch (3 KB)
Attached To
Mode
T59550: SVG XSLT XSS
Attached
Detach File
Event Timeline
Log In to Comment