From 5eac114e5adda4533c35cd515975a78769c85c33 Mon Sep 17 00:00:00 2001 From: Tim Starling Date: Tue, 1 Feb 2011 22:36:43 +0000 Subject: [PATCH] (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtils.php patch is by Roan, the Sanitizer.php patch is by me. --- includes/Sanitizer.php | 7 +++++++ includes/StringUtils.php | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index ab67010734..9585f9a68d 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -747,6 +747,13 @@ class Sanitizer { // Remove any comments; IE gets token splitting wrong $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); + // Remove anything after a comment-start token, to guard against + // incorrect client implementations. + $commentPos = strpos( $value, '/*' ); + if ( $commentPos !== false ) { + $value = substr( $value, 0, $commentPos ); + } + // Decode escape sequences and line continuation // See the grammar in the CSS 2 spec, appendix D. static $decodeRegex; diff --git a/includes/StringUtils.php b/includes/StringUtils.php index 4c742e011a..c1e617a044 100644 --- a/includes/StringUtils.php +++ b/includes/StringUtils.php @@ -81,16 +81,20 @@ class StringUtils { } if ( $tokenType == 'start' ) { - $inputPos = $tokenOffset + $tokenLength; # Only move the start position if we haven't already found a start # This means that START START END matches outer pair if ( !$foundStart ) { # Found start + $inputPos = $tokenOffset + $tokenLength; # Write out the non-matching section $output .= substr( $subject, $outputPos, $tokenOffset - $outputPos ); $outputPos = $tokenOffset; $contentPos = $inputPos; $foundStart = true; + } else { + # Move the input position past the *first character* of START, + # to protect against missing END when it overlaps with START + $inputPos = $tokenOffset + 1; } } elseif ( $tokenType == 'end' ) { if ( $foundStart ) { -- 2.20.1