Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F25869
0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch
Parent5446 (Tyler Romeo)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Parent5446
Dec 30 2014, 8:57 PM
2014-12-30 20:57:03 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch
View Options
From ff4ed6aefb0570f8061758ab30f02d41af1227da Mon Sep 17 00:00:00 2001
From: Tyler Romeo <tylerromeo@gmail.com>
Date: Tue, 30 Dec 2014 15:24:04 -0500
Subject: [PATCH] [PATCH] SECURITY: Make SVG @import checking case insensitive
@import in embedded CSS is case-insensitive, meaning
an attacker can put "@iMpOrT" and it should still
work.
This uses stripos instead of strpos to make the check
case insensitive.
Bug: T85349
Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1
---
includes/upload/UploadBase.php | 2 +-
tests/phpunit/includes/upload/UploadBaseTest.php | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 4c96dc8..0aabaea 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1571,7 +1571,7 @@ abstract class UploadBase {
private static function checkCssFragment( $value ) {
# Forbid external stylesheets, for both reliability and to protect viewer's privacy
- if ( strpos( $value, '@import' ) !== false ) {
+ if ( stripos( $value, '@import' ) !== false ) {
return true;
}
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index f23b264..a80155b 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -307,6 +307,12 @@ class UploadBaseTest extends MediaWikiTestCase {
'SVG with @import in style element and child element (bug 69008#c11)'
),
array(
+ '<svg xmlns="http://www.w3.org/2000/svg" viewBox="6 3 177 153" xmlns:xlink="http://www.w3.org/1999/xlink"> <style>@imporT "https://fonts.googleapis.com/css?family=Bitter:700&text=WebPlatform.org";</style> <g transform="translate(-.5,-.5)"> <text fill="#474747" x="95" y="150" text-anchor="middle" font-family="Bitter" font-size="20" font-weight="bold">WebPlatform.org</text> </g> </svg>',
+ true,
+ true,
+ 'SVG with case-insensitive @import in style element (bug T85349)'
+ ),
+ array(
'<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" style="background-image:url(https://www.google.com/images/srpr/logo11w.png)"/> </svg>',
true,
true,
--
2.2.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
24700
Default Alt Text
0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch (2 KB)
Attached To
Mode
T85850: Stored XSS in SVG via embedded SVG
Attached
Detach File
T85349: SVG @import style validation bypass
Attached
Detach File
Event Timeline
Log In to Comment