Page MenuHomePhabricator
Files F25869

0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch
Parent5446 (Tyler Romeo)
Actions

Authored By
Parent5446
Dec 30 2014, 8:57 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch
View Options

From ff4ed6aefb0570f8061758ab30f02d41af1227da Mon Sep 17 00:00:00 2001
From: Tyler Romeo <tylerromeo@gmail.com>
Date: Tue, 30 Dec 2014 15:24:04 -0500
Subject: [PATCH] [PATCH] SECURITY: Make SVG @import checking case insensitive
@import in embedded CSS is case-insensitive, meaning
an attacker can put "@iMpOrT" and it should still
work.
This uses stripos instead of strpos to make the check
case insensitive.
Bug: T85349
Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1
---
includes/upload/UploadBase.php | 2 +-
tests/phpunit/includes/upload/UploadBaseTest.php | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 4c96dc8..0aabaea 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1571,7 +1571,7 @@ abstract class UploadBase {
private static function checkCssFragment( $value ) {
# Forbid external stylesheets, for both reliability and to protect viewer's privacy
- if ( strpos( $value, '@import' ) !== false ) {
+ if ( stripos( $value, '@import' ) !== false ) {
return true;
}
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index f23b264..a80155b 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -307,6 +307,12 @@ class UploadBaseTest extends MediaWikiTestCase {
'SVG with @import in style element and child element (bug 69008#c11)'
),
array(
+ '<svg xmlns="http://www.w3.org/2000/svg" viewBox="6 3 177 153" xmlns:xlink="http://www.w3.org/1999/xlink"> <style>@imporT "https://fonts.googleapis.com/css?family=Bitter:700&amp;text=WebPlatform.org";</style> <g transform="translate(-.5,-.5)"> <text fill="#474747" x="95" y="150" text-anchor="middle" font-family="Bitter" font-size="20" font-weight="bold">WebPlatform.org</text> </g> </svg>',
+ true,
+ true,
+ 'SVG with case-insensitive @import in style element (bug T85349)'
+ ),
+ array(
'<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" style="background-image:url(https://www.google.com/images/srpr/logo11w.png)"/> </svg>',
true,
true,
--
2.2.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
24700
Default Alt Text
0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL