Page MenuHomePhabricator
Files F3209520

T123071.patch
csteipp (Chris Steipp)
Actions

Authored By
csteipp
Jan 7 2016, 4:20 PM
Size
2 KB
Referenced Files
None
Subscribers
None

T123071.patch
View Options

From 858634de026432a4fed548f0c014452bd40cbd23 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Thu, 7 Jan 2016 08:13:16 -0800
Subject: [PATCH] SECURITY: Don't use m modifier when checking link prefix
SVG filter incorrectly used the m modifier when checking if an href
attribute started with 'https?://', incorrectly matching attributes
such as, "javascript:alert('&#10;http://foo')".
Bug: T122653
Change-Id: I41291fff344241cad3171f3e8050de99b62a2296
---
includes/upload/UploadBase.php | 3 +--
tests/phpunit/includes/upload/UploadBaseTest.php | 6 ++++++
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index f8624d0..95d1d06 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1291,7 +1291,6 @@ abstract class UploadBase {
* @return bool
*/
public function checkSvgScriptCallback( $element, $attribs, $data = null ) {
-
list( $namespace, $strippedElement ) = $this->splitXmlNamespace( $element );
// We specifically don't include:
@@ -1400,7 +1399,7 @@ abstract class UploadBase {
&& strpos( $value, '#' ) !== 0
) {
if ( !( $strippedElement === 'a'
- && preg_match( '!^https?://!im', $value ) )
+ && preg_match( '!^https?://!i', $value ) )
) {
wfDebug( __METHOD__ . ": Found href attribute <$strippedElement "
. "'$attrib'='$value' in uploaded file.\n" );
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index 90051ee..cf86702 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -374,6 +374,12 @@ class UploadBaseTest extends MediaWikiTestCase {
false,
'SVG with external entity'
),
+ array(
+ "<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"> <g> <a xlink:href=\"javascript:alert('1&#10;https://google.com')\"> <rect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,2)\" /> </a> </g> </svg>",
+ true,
+ false,
+ 'SVG with javascript <a> link with newline (T122653)'
+ ),
// Test good, but strange files that we want to allow
array(
--
1.8.4.5

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3217529
Default Alt Text
T123071.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL