Page MenuHomePhabricator
Files F5462768

T144845-REL1_23.patch
No One
Actions

Authored By
Bawolff
Feb 3 2017, 8:48 AM
Size
2 KB
Referenced Files
None
Subscribers
None

T144845-REL1_23.patch
View Options

From b581c9c3653b8fcea8e89732d43507cff6345d07 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 11 Jun 2014 16:29:33 -0700
Subject: [PATCH] Disallow css attr() with url type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."
Currently no browsers support this syntax yet, so submitting this
as a normal non-security patch.
Bug: T68404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
---
RELEASE-NOTES-1.23 | 7 +++++++
includes/Sanitizer.php | 1 +
tests/phpunit/includes/SanitizerTest.php | 2 ++
3 files changed, 10 insertions(+)
diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 031249d..4e1116a 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -1,6 +1,13 @@
Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.
+== MediaWiki 1.23.16 ==
+This is not a release yet!
+
+=== Changes since 1.23.15 ===
+* (T68404) CSS3 attr() function with url type is no longer allowed
+ in inline styles.
+
== MediaWiki 1.23.15 ==
This is a maintenance release of the MediaWiki 1.23 branch.
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 80740c3..8c247e3 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -951,6 +951,7 @@ class Sanitizer {
| url\s*\(
| image\s*\(
| image-set\s*\(
+ | attr\s*\([^)]+[\s,]+url
!ix', $value ) ) {
return '/* insecure input */';
}
diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php
index 97abf80..a00bcb6 100644
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -275,6 +275,8 @@ class SanitizerTest extends MediaWikiTestCase {
array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
+ array( '/* insecure input */', 'foo: attr( title, url );' ),
+ array( '/* insecure input */', 'foo: attr( title url );' ),
);
}
--
1.9.5 (Apple Git-50.3)

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4328395
Default Alt Text
T144845-REL1_23.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits