Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F12197
bug58472_122.patch
Public
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
bzimport
Nov 22 2014, 2:22 AM
2014-11-22 02:22:06 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
bug58472_122.patch
View Options
From ee49215dec5ae2114ba79e3d3799b0f50dc5e63b Mon Sep 17 00:00:00 2001
From: mglaser <glaser@hallowelt.biz>
Date: Wed, 8 Jan 2014 13:14:37 +0100
Subject: [PATCH] SECURITY: Disallow -o-link in styles
Opera will execute javascript from -o-link css attributes.
Bug: 58472
Change-Id: I0b9eb66159c4bd8e767af52726309de478ec3962
---
includes/Sanitizer.php | 12 +++++++++++-
tests/parser/parserTests.txt | 11 +++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 499d821..4cfa7f0 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -888,7 +888,17 @@ class Sanitizer {
// Reject problematic keywords and control characters
if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
- } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix', $value ) ) {
+ } elseif ( preg_match(
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ !ix', $value ) ) {
return '/* insecure input */';
}
return $value;
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 02a66b5..b0c019d 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -11574,6 +11574,17 @@ Bug 3244: HTML attribute safety (extension; unsafe)
!! end
+!! test
+Opera -o-link CSS
+!! input
+<div
+title="data:text/html,<img src=1 onerror=alert(1)>"
+style="-o-link:attr(title);-o-link-source:current">X</div>
+!! result
+<div title="data:text/html,<img src=1 onerror=alert(1)>" style="/* insecure input */">X</div>
+
+!! end
+
# More MSIE fun discovered by Tom Gilder
!! test
--
1.8.4.msysgit.0
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11654
Default Alt Text
bug58472_122.patch (2 KB)
Attached To
Mode
T60472: Opera 12 -o-link XSS (user interaction required)
Attached
Detach File
Event Timeline
Log In to Comment