From 3842f9a26228399426037b5c00a69781db7f3ad8 Mon Sep 17 00:00:00 2001 From: Daniel Friesen Date: Fri, 21 Sep 2012 09:51:08 -0700 Subject: [PATCH] Preemptively add css3's image() to our css sanitizer. - Adding this now even though no browser supports it so that when one does it doesn't become a way to bypass our url() filter. - Including missing tests for all of our insecure input filters. - Also make sure that vendor prefixed versions like -webkit-image() are caught because most browsers are probably going to go and implement a vendor prefixed version first. Change-Id: If73aa98b8accdb7621b0e4ff0615b61d530fa547 --- includes/Sanitizer.php | 2 +- tests/phpunit/includes/SanitizerTest.php | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 224b2d1247..6358540c6f 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -912,7 +912,7 @@ class Sanitizer { // Reject problematic keywords and control characters if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { return '/* invalid control char */'; - } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) { + } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( !ix', $value ) ) { return '/* insecure input */'; } return $value; diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php index d67f905942..ac9971e290 100644 --- a/tests/phpunit/includes/SanitizerTest.php +++ b/tests/phpunit/includes/SanitizerTest.php @@ -182,6 +182,12 @@ class SanitizerTest extends MediaWikiTestCase { 'Remove anything after a comment-start token' ), array( '', "\\2f\\2a unifinished comment'", 'Remove anything after a backslash-escaped comment-start token' ), + array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');'), + array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";'), + array( '/* insecure input */', 'width: expression(1+1);'), + array( '/* insecure input */', 'background-image: image(asdf.png);'), + array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);'), + array( '/* insecure input */', 'background-image: -moz-image(asdf.png);'), ); } } -- 2.20.1