Page MenuHomePhabricator
Create Task
Maniphest T278386

SVG upload fails because $safeXmlEncodings doesn't contain US-ASCII
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to Reproduce:

  • Try to upload an SVG file with the XML declaration <?xml version='1.0' encoding='us-ascii' standalone='no'?>

Actual Results:

  • Error message:

This file contains HTML or script code that may be erroneously interpreted by a web browser. See the FAQ for more information.

Expected Results:

Successful upload.

Workaround:

Change encoding='us-ascii' to encoding='utf-8'.

Notes:

After a discussion in IRC, @AntiCompositeNumber in #wikimedia-commons found that the problem is the encoding. This encoding is rather strange, but it wasn't a conscious decision by me. Several XML creators, including Python's xml.etree, now keep track of whether any character in the document is non-ASCII, and if not, they tag the whole document us-ascii. Therefore, this encoding should be added to $safeXmlEncodings. I can't think of a reason ASCII would be less safe than UTF-8.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add us-ascii to safeXmlEncodingsmediawiki/coremaster+2 -0
Customize query in gerrit

Related Objects

Event Timeline

copypaste created this task.Mar 24 2021, 8:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 24 2021, 8:48 PM
copypaste renamed this task from SVG upload fails because $safeXmlEncodings doesn't encode US-ASCII to SVG upload fails because $safeXmlEncodings doesn't contain US-ASCII.Mar 24 2021, 8:52 PM
copypaste updated the task description. (Show Details)
Reedy added a project: MediaWiki-File-management.Mar 24 2021, 8:58 PM
Restricted Application added a project: Commons. · View Herald TranscriptMar 24 2021, 8:58 PM
Meow moved this task from Incoming to Thumbnail and file renderings on the Commons board.Jul 28 2021, 9:03 AM
Meow moved this task from Thumbnail and file renderings to Uploading (Special:Upload) on the Commons board.Jul 28 2021, 9:17 AM
Meow moved this task from Uploading (Special:Upload) to Uploading on the Commons board.
TheDJ claimed this task.Apr 20 2022, 10:22 AM
TheDJ subscribed.

This is related to T49304: SVG JavaScript detection bypass

us-ascii is backwards compatible with utf-8, so this should be easy to fix and not a security problem. I actually think it was just an oversight that it didn't get included in that list (maybe because we didn't have any existing files in us-ascii back then).

gerritbot added a comment.Apr 20 2022, 8:03 PM

Change 784759 had a related patch set uploaded (by TheDJ; author: TheDJ):

[mediawiki/core@master] Add us-ascii to safeXmlEncodings

https://gerrit.wikimedia.org/r/784759

gerritbot added a project: Patch-For-Review.Apr 20 2022, 8:03 PM
gerritbot added a comment.Apr 27 2022, 12:44 PM

Change 784759 merged by jenkins-bot:

[mediawiki/core@master] Add us-ascii to safeXmlEncodings

https://gerrit.wikimedia.org/r/784759

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.10; 2022-05-02).Apr 27 2022, 1:00 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 27 2022, 1:31 PM
TheDJ closed this task as Resolved.Apr 27 2022, 8:26 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits