Page MenuHomePhabricator
Files F3434159

T123071b.patch
csteipp (Chris Steipp)
Actions

Authored By
csteipp
Feb 26 2016, 11:31 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T123071b.patch
View Options

From 584bf33751c9e6f67899b1eb8e0363d7e171cfb7 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Thu, 7 Jan 2016 08:13:16 -0800
Subject: [PATCH] SECURITY: Don't use m modifier when checking link prefix
SVG filter incorrectly used the m modifier when checking if an href
attribute started with 'https?://', incorrectly matching attributes
such as, "javascript:alert('&#10;http://foo')".
Bug: T122653
Change-Id: I41291fff344241cad3171f3e8050de99b62a2296
---
includes/upload/UploadBase.php | 2 +-
tests/phpunit/includes/upload/UploadBaseTest.php | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index c1e538a..66b4b84 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1403,7 +1403,7 @@ abstract class UploadBase {
&& strpos( $value, '#' ) !== 0
) {
if ( !( $strippedElement === 'a'
- && preg_match( '!^https?://!im', $value ) )
+ && preg_match( '!^https?://!i', $value ) )
) {
wfDebug( __METHOD__ . ": Found href attribute <$strippedElement "
. "'$attrib'='$value' in uploaded file.\n" );
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index a274b84..caa07b4 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -374,6 +374,12 @@ class UploadBaseTest extends MediaWikiTestCase {
false,
'SVG with external entity'
),
+ array(
+ "<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"> <g> <a xlink:href=\"javascript:alert('1&#10;https://google.com')\"> <rect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,2)\" /> </a> </g> </svg>",
+ true,
+ true,
+ 'SVG with javascript <a> link with newline (T122653)'
+ ),
// Test good, but strange files that we want to allow
array(
--
2.6.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3418351
Default Alt Text
T123071b.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits