HomePhabricator
Diffusion MediaWiki e4784c6b8dd6

SECURITY: Whitelist DTD declaration in SVG
e4784c6b8dd6Unpublished
Actions

Unpublished Commit · Learn More

Publishing Disabled: All publishing is disabled for this repository.
This commit no longer exists in the repository. It may have been part of a branch which was deleted.This commit has been deleted in the repository: it is no longer reachable from any branch, tag, or ref.

Description

SECURITY: Whitelist DTD declaration in SVG

Only allow ENTITY declarations inside the doctype internal
subset. Do not allow parameter entities, recursive entity
references are entity values longer than 255 bytes, or
external entity references. Filter external doctype subset
to only allow the standard svg doctypes.

Recursive entities that are simple aliases are allowed
because people appear to use them on commons. Declaring
xmlns:xlink to have a #FIXED value to the xlink namespace
is allowed because GraphViz apparently does that so its
somewhat common.

This prevents someone bypassing filter by using default
attribute values in internal dtd subset. No browser loads
the external dtd subset that I could find, but whitelist
just to be safe anyways.

Issue reported by Cassiogomes11.

Bug: T151735
Change-Id: I7cb4690f759ad97e70e06e560978b6207d84c446
(cherry picked from commit bc31c5bd57e5f58c204113ef651d8fa172122c47)

Details

Provenance
BawolffAuthored on Nov 28 2016, 11:34 PM
UrbanrogueCommitted on Apr 7 2017, 6:52 PM
ChangeId
I7cb4690f759ad97e70e06e560978b6207d84c446

Commit No Longer Exists

This commit no longer exists in the repository.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL