Page MenuHomePhabricator

Invalid xml accepted by svg upload
Closed, ResolvedPublic

Description

Tim pointed out on bug 57550 that our SVG script checker doesn't check to ensure that the xml parser found the svg to be well formed. The checkSvgScriptCallback isn't called for any part of the svg following invalid xml, so anything that would be caught as a script in checkSvgScriptCallback is skipped.

In testing, it appears that modern versions of FF/Chrome/Opera all stop rendering svg files when they encounter invalid xml.

However, in case any older browsers ignore errors, we should also reject invalid xml for SVG uploads.


Version: unspecified
Severity: normal

Details

Reference
bz58553

Related Objects

Event Timeline

bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz58553.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Dec 16 2013, 9:56 PM

The cases where xml_parse() returns false is broader than the strict definition of invalid XML. For example, libxml loads the values of attributes into dynamically allocated memory. With ulimit/cgroup limiting memory usage, the malloc() can return NULL, which leads to xml_parse() returning 0 and giving a PHP warning like:

Warning: xml_parse(): Memory allocation failed : growing buffer in /srv/mw/core/includes/libs/XmlTypeCheck.php on line 124

Created attachment 14116
Return error on invalid XML

attachment bug58553.patch ignored as obsolete

Hmm.. didn't see your comment until I posted that. Perhaps the error should be "Couldn't parse the XML"?

Created attachment 14124
Return error if XML can't be parsed for SVGs

Added the translations to this version. Updated the message per Tim's comment.

Attached:

Created attachment 14143
Patch rebased on the patch for bug 57550

Attached:

This was assigned CVE-2013-6453

Created attachment 14267
Return error if XML can't be parsed for SVGs (1.19 branch)

Attached:

Created attachment 14268
Return error if XML can't be parsed for SVGs (1.21 branch)

Attached:

Created attachment 14269
Return error if XML can't be parsed for SVGs (1.22 branch)

Attached:

Gilles moved this task from Untriaged to Done on the Multimedia board.
Gilles raised the priority of this task from Normal to Unbreak Now!.
Gilles lowered the priority of this task from Unbreak Now! to Normal.Dec 4 2014, 11:21 AM