Page MenuHomePhabricator
Files F12349

bug58553_122.patch
Public
Actions

Authored By
bzimport
Nov 22 2014, 2:26 AM
Size
3 KB
Referenced Files
None
Subscribers
None

bug58553_122.patch
View Options

From e3a850b33b4838a4107f2da7410c9126e8b26c5d Mon Sep 17 00:00:00 2001
From: mglaser <glaser@hallowelt.biz>
Date: Wed, 8 Jan 2014 13:07:32 +0100
Subject: [PATCH] SECURITY: Return error on invalid XML for SVGs
Return an error from UploadBase::detectScriptInSvg when the svg has
XML that cannot be parsed. Usually the XML is invalid, or the parser has
run out of memory trying to parse the file.
This patch is rebased on top of bug 57550.
Bug: 58553
Change-Id: Ib5f6e975431e338c662a748fdd5e9847b25aa50f
---
includes/upload/UploadBase.php | 15 +++++++++++----
languages/messages/MessagesEn.php | 1 +
languages/messages/MessagesQqq.php | 1 +
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 2260241..565ea0e 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -475,9 +475,10 @@ abstract class UploadBase {
return array( 'uploadscripted' );
}
if ( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) {
- if ( $this->detectScriptInSvg( $this->mTempPath ) ) {
+ $svgStatus = $this->detectScriptInSvg( $this->mTempPath );
+ if ( $svgStatus !== false ) {
wfProfileOut( __METHOD__ );
- return array( 'uploadscripted' );
+ return $svgStatus;
}
}
}
@@ -1155,11 +1156,17 @@ abstract class UploadBase {
/**
* @param $filename string
- * @return bool
+ * @return mixed false of the file is verified (does not contain scripts), array otherwise.
*/
protected function detectScriptInSvg( $filename ) {
$check = new XmlTypeCheck( $filename, array( $this, 'checkSvgScriptCallback' ) );
- return $check->filterMatch;
+ if ( $check->wellFormed !== true ) {
+ // Invalid xml (bug 58553)
+ return array( 'uploadinvalidxml' );
+ } elseif ( $check->filterMatch ) {
+ return array( 'uploadscripted' );
+ }
+ return false;
}
/**
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index ffbc88a..d87f655 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -2352,6 +2352,7 @@ You should check that file's deletion history before proceeding to re-upload it.
'php-uploaddisabledtext' => 'File uploads are disabled in PHP.
Please check the file_uploads setting.',
'uploadscripted' => 'This file contains HTML or script code that may be erroneously interpreted by a web browser.',
+'uploadinvalidxml' => 'The XML in the uploaded file could not be parsed.',
'uploadvirus' => 'The file contains a virus!
Details: $1',
'uploadjava' => 'The file is a ZIP file that contains a Java .class file.
diff --git a/languages/messages/MessagesQqq.php b/languages/messages/MessagesQqq.php
index cdb8a91..7622ddf 100644
--- a/languages/messages/MessagesQqq.php
+++ b/languages/messages/MessagesQqq.php
@@ -4064,6 +4064,7 @@ See also:
* {{msg-mw|zip-wrong-format}}
* {{msg-mw|uploadjava}}
* {{msg-mw|uploadvirus}}',
+'uploadinvalidxml' => 'Error message displayed when the uploaded file contains XML that cannot be properly parsed and checked.',
'uploadvirus' => 'Error message displayed when uploaded file contains a virus.
Parameters:
--
1.8.4.msysgit.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11805
Default Alt Text
bug58553_122.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits