Page MenuHomePhabricator
Create Task
Maniphest T308395

SVG rasterization fails when filename contains "$output"
Closed, ResolvedPublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):

  • Set in LocalSettings.php:
$wgFileExtensions = array_merge($wgFileExtensions, array('svg'));
  • Upload an SVG file. Give it the destination filename Test$output.svg.

What happens?:

See error message in the File: page:

Error creating thumbnail: convert-im6.q16: unable to open image `/tmp/svg_caed3aacae81aada8a9a30bb/Test/tmp/transform_e13974305cb3.png.svg': No such file or directory @ error/blob.c/OpenBlob/2924. convert-im6.q16: no images defined `PNG:/tmp/transform_e13974305cb3.png' @ error/convert.c/ConvertImageCommand/3229.

See in $wgDebugLogFile:

[thumbnail] thumbnail failed on <hostname>: error 1 "convert-im6.q16: unable to open image `/tmp/svg_caed3aacae81aada8a9a30bb/Test/tmp/transform_e13974305cb3.png.svg': No such file or directory @ error/blob.c/OpenBlob/2924.
convert-im6.q16: no images defined `PNG:/tmp/transform_e13974305cb3.png' @ error/convert.c/ConvertImageCommand/3229." from "convert -background "#ffffff00" -thumbnail 120x120\! '/tmp/svg_caed3aacae81aada8a9a30bb/Test'/tmp/transform_e13974305cb3.png'.svg' PNG:'/tmp/transform_e13974305cb3.png'"

What should have happened instead?:

A bitmap preview should have been created.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc.:

MediaWiki 1.37.2

This bug is similar to T308394. It happens because when str_replace in SvgHandler::rasterize substitutes the strings $path, $width, $height, $input, and $output in $wgSVGConverters, it does the substitutions sequentially, not simultaneously. $input gets replaced with an input path that contains $output. Then, that newly introduced $output gets replaced with the output path (in addition to the $output that was already present in $svgConverters[$svgConverter]).

https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/df1a7bf546886209b72542488bf50d4dc7f142b5/includes/media/SvgHandler.php#344

As with T308394, I did not find any security vulnerabilities caused by this bug. The only substitution an attacker can control flexibly is $input. Though the $output substitution that happens later is outside the shell quoting, its substituted value is a generated temporary path that is not likely to contain shell metacharacters. I suppose there could be unexpected behavior if the path to the temporary directory contained a space, or something like that.

Details

SubjectRepoBranchLines +/-
Replace complex preg_replace_callback with strtr/preg_replacemediawiki/coremaster+45 -62
media: Guard wgSVGConverters against placeholders within shell argumentsmediawiki/coremaster+11 -7
Customize query in gerrit

Related Objects

Event Timeline

SacredSum created this task.May 15 2022, 3:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 15 2022, 3:50 AM
Maintenance_bot added a project: Commons.May 15 2022, 4:30 AM
Peachey88 removed a project: Commons.May 15 2022, 6:19 AM
SacredSum updated the task description. (Show Details)May 15 2022, 2:09 PM
TheDJ added a project: User-TheDJ.Jun 8 2022, 12:44 PM
Glrx mentioned this in T40010: RFC: Re-evaluate librsvg as SVG renderer on Wikimedia wikis.Jun 11 2022, 2:40 AM
gerritbot added a comment.Feb 9 2023, 8:31 PM

Change 888085 had a related patch set uploaded (by TheDJ; author: TheDJ):

[mediawiki/core@master] Guard wgSVGConverters against placeholders within values

https://gerrit.wikimedia.org/r/888085

gerritbot added a project: Patch-For-Review.Feb 9 2023, 8:31 PM
TheDJ moved this task from Inbox to For-review on the User-TheDJ board.Feb 9 2023, 8:36 PM
Krinkle awarded a token.Feb 9 2023, 8:45 PM
Krinkle subscribed.Feb 10 2023, 11:10 PM

This is probably worth backporting a fair bit.

gerritbot added a comment.Feb 10 2023, 11:26 PM

Change 888085 merged by jenkins-bot:

[mediawiki/core@master] media: Guard wgSVGConverters against placeholders within shell arguments

https://gerrit.wikimedia.org/r/888085

Maintenance_bot removed a project: Patch-For-Review.Feb 10 2023, 11:30 PM
ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.23; 2023-02-13).Feb 11 2023, 12:00 AM
TheDJ closed this task as Resolved.Feb 26 2023, 7:14 PM
TheDJ claimed this task.
gerritbot added a comment.Oct 4 2023, 2:16 PM

Change 963270 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/core@master] Replace complex preg_replace_callback with strtr/preg_replace

https://gerrit.wikimedia.org/r/963270

gerritbot added a project: Patch-For-Review.Oct 4 2023, 2:16 PM
gerritbot added a comment.Oct 5 2023, 7:14 PM

Change 963270 merged by jenkins-bot:

[mediawiki/core@master] Replace complex preg_replace_callback with strtr/preg_replace

https://gerrit.wikimedia.org/r/963270

Maintenance_bot removed a project: Patch-For-Review.Oct 5 2023, 7:31 PM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.30; 2023-10-10).Oct 5 2023, 8:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL