From 7114801e78b7b4cab2b6d7695bdb4af90462bcbe Mon Sep 17 00:00:00 2001 From: csteipp Date: Wed, 28 May 2014 16:55:40 -0700 Subject: [PATCH] SECURITY: Prevent external resources in SVG files On bug 65724, it was discovered that a user could upload SVG images with embedded elements that pulled in the resource via http. This could allow an attacker to track all viewers of an SVG by having the image embed another image hosted on their own server. While testing the patch, I also identified 3 more element namespaces that have been used on commons and seem harmless, so I added those to the whitelist. Change-Id: Iaaabc3a60c0ec4e6e426a8680d7a2cef5d469d29 --- includes/upload/UploadBase.php | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index b8ca434038..ac894aec18 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -1390,12 +1390,19 @@ abstract class UploadBase { return true; } - # href with javascript target - if ( $stripped == 'href' && strpos( strtolower( $value ), 'javascript:' ) !== false ) { - wfDebug( __METHOD__ - . ": Found script in href attribute '$attrib'='$value' in uploaded file.\n" ); + # href with non-local target (don't allow http://, javascript:, etc) + if ( $stripped == 'href' + && strpos( $value, 'data:' ) !== 0 + && strpos( $value, '#' ) !== 0 + ) { + if ( !( $strippedElement === 'a' + && preg_match( '!^https?://!im', $value ) ) + ) { + wfDebug( __METHOD__ . ": Found href attribute <$strippedElement " + . "'$attrib'='$value' in uploaded file.\n" ); - return true; + return true; + } } # href with embedded svg as target -- 2.20.1