From: csteipp <csteipp@wikimedia.org>
Date: Tue, 14 Jan 2014 06:12:28 +0000 (-0800)
Subject: SECURITY: Disallow -o-link in styles
X-Git-Tag: 1.31.0-rc.0~17261
X-Git-Url: http://git.cyclocoop.org/%7D%7Cconcat%7B?a=commitdiff_plain;h=93891d1b5d089c3c1157085165af0f50307b0b63;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Disallow -o-link in styles

Opera will execute javascript from -o-link css attributes.

Bug: 58472
Change-Id: I3b640282ca1feeb175b095e9fdc4dc3ceff05e0f
---

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 7461a8b9ef..0de8cda4c8 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -926,9 +926,16 @@ class Sanitizer {
 		if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
 			return '/* invalid control char */';
 		} elseif ( preg_match(
-			'! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix',
-			$value
-		) ) {
+			'! expression
+				| filter\s*:
+				| accelerator\s*:
+				| -o-link\s*:
+				| -o-link-source\s*:
+				| -o-replace\s*:
+				| url\s*\(
+				| image\s*\(
+				| image-set\s*\(
+			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
 		return $value;
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 6dff54e5e8..d853889cad 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -12160,6 +12160,17 @@ MSIE CSS safety test: sup/sub script
 
 !! end
 
+!! test
+Opera -o-link CSS
+!! input
+<div
+title="&#100;&#97;&#116;&#97;&#58;&#116;&#101;&#120;&#116;&#47;&#104;&#116;&#109;&#108;&#44;&#60;&#105;&#109;&#103;&#32;&#115;&#114;&#99;&#61;&#49;&#32;&#111;&#110;&#101;&#114;&#114;&#111;&#114;&#61;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#62;"
+style="-o-link:attr(title);-o-link-source:current">X</div>
+!! result
+<div title="data:text/html,&lt;img src=1 onerror=alert(1)&gt;" style="/* insecure input */">X</div>
+
+!! end
+
 !! test
 MSIE CSS safety test: Repetition markers
 !! input