SECURITY: Don't use m modifier when checking link prefix

SVG filter incorrectly used the m modifier when checking if an href
attribute started with 'https?://', incorrectly matching attributes
such as, "javascript:alert('
http://foo')".

Bug: T122653
Change-Id: I41291fff344241cad3171f3e8050de99b62a2296

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 1185c4d..ba5171f 100644 (file)
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1422,7 +1422,7 @@ abstract class UploadBase {
                                && strpos( $value, '#' ) !== 0
                        ) {
                                if ( !( $strippedElement === 'a'
-                                       && preg_match( '!^https?://!im', $value ) )
+                                       && preg_match( '!^https?://!i', $value ) )
                                ) {
                                        wfDebug( __METHOD__ . ": Found href attribute <$strippedElement "
                                                . "'$attrib'='$value' in uploaded file.\n" );

diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index ee74957..287af29 100644 (file)
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -374,7 +374,12 @@ class UploadBaseTest extends MediaWikiTestCase {
                                false,
                                'SVG with external entity'
                        ],
-
+                       [
+                               "<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"> <g> <a xlink:href=\"javascript:alert('1&#10;https://google.com')\"> <rect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,2)\" /> </a> </g> </svg>",
+                               true,
+                               true,
+                               'SVG with javascript <a> link with newline (T122653)'
+                       ],
                        // Test good, but strange files that we want to allow
                        [
                                '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <g> <a xlink:href="http://en.wikipedia.org/wiki/Main_Page"> <path transform="translate(0,496)" id="path6706" d="m 112.09375,107.6875 -5.0625,3.625 -4.3125,5.03125 -0.46875,0.5 -4.09375,3.34375 -9.125,5.28125 -8.625,-3.375 z" style="fill:#cccccc;fill-opacity:1;stroke:#6e6e6e;stroke-width:0.69999999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;display:inline" /> </a> </g> </svg>',