From: csteipp Date: Thu, 7 Jan 2016 16:13:16 +0000 (-0800) Subject: SECURITY: Don't use m modifier when checking link prefix X-Git-Tag: 1.31.0-rc.0~6887 X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22naviguer%22%29%20.%20%22?a=commitdiff_plain;h=fdc70074bbe9cec0e83a2ef512c356861e60dc88;p=lhc%2Fweb%2Fwiklou.git SECURITY: Don't use m modifier when checking link prefix SVG filter incorrectly used the m modifier when checking if an href attribute started with 'https?://', incorrectly matching attributes such as, "javascript:alert(' http://foo')". Bug: T122653 Change-Id: I41291fff344241cad3171f3e8050de99b62a2296 Signed-off-by: Chad Horohoe --- diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index 1185c4da61..ba5171f523 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -1422,7 +1422,7 @@ abstract class UploadBase { && strpos( $value, '#' ) !== 0 ) { if ( !( $strippedElement === 'a' - && preg_match( '!^https?://!im', $value ) ) + && preg_match( '!^https?://!i', $value ) ) ) { wfDebug( __METHOD__ . ": Found href attribute <$strippedElement " . "'$attrib'='$value' in uploaded file.\n" ); diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index ee74957c2c..287af29d79 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -374,7 +374,12 @@ class UploadBaseTest extends MediaWikiTestCase { false, 'SVG with external entity' ], - + [ + " ", + true, + true, + 'SVG with javascript link with newline (T122653)' + ], // Test good, but strange files that we want to allow [ ' ',