Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F12194
bug58472.patch
Public
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
bzimport
Nov 22 2014, 2:22 AM
2014-11-22 02:22:05 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
bug58472.patch
View Options
From 4f983c3c3e798c857dbcdc70d45e56e7ed6039df Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 13 Dec 2013 17:12:00 -0800
Subject: [PATCH] SECURITY: Disallow -o-link in styles
Opera will execute javascript from -o-link css attributes.
Bug: 58472
Change-Id: I3b640282ca1feeb175b095e9fdc4dc3ceff05e0f
---
includes/Sanitizer.php | 12 +++++++++++-
tests/parser/parserTests.txt | 11 +++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 3384af0..f4a138d 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -925,7 +925,17 @@ class Sanitizer {
// Reject problematic keywords and control characters
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
- } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix', $value ) ) {
+ } elseif ( preg_match(
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ !ix', $value ) ) {
return '/* insecure input */';
}
return $value;
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index cc935da..9b8100c 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -11754,6 +11754,17 @@ MSIE CSS safety test: sup/sub script
!! end
!! test
+Opera -o-link CSS
+!! input
+<div
+title="data:text/html,<img src=1 onerror=alert(1)>"
+style="-o-link:attr(title);-o-link-source:current">X</div>
+!! result
+<div title="data:text/html,<img src=1 onerror=alert(1)>" style="/* insecure input */">X</div>
+
+!! end
+
+!! test
MSIE CSS safety test: Repetition markers
!! input
<p style="font-size: 100px; color: expres〱ion((title='XSSed'),'red')">A</p>
--
1.8.4
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11651
Default Alt Text
bug58472.patch (2 KB)
Attached To
Mode
T60472: Opera 12 -o-link XSS (user interaction required)
Attached
Detach File
Event Timeline
Log In to Comment