From: Rob Church Date: Fri, 5 May 2006 06:48:29 +0000 (+0000) Subject: Introduce $wgAllowTitlesInSVG, which allows the attribute in uploaded files... X-Git-Tag: 1.31.0-rc.0~57241 X-Git-Url: https://git.cyclocoop.org/%242?a=commitdiff_plain;h=dfdf3c83bc833a3f99c7ab91f69b73b8d8a0e21c;p=lhc%2Fweb%2Fwiklou.git Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files bearing the image/svg MIME type. Disabled by default due to the vast majority of web servers being hideously misconfigured. See DefaultSettings.php for more details. --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 060c55b2a0..f3f0fe7a9b 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -204,6 +204,9 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * Rewritten removeUnusedAccounts to be more efficient, print names of inactive accounts * Redirect Special:Userlist to Special:Listusers +* Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files + bearing the image/svg MIME type. Disabled by default due to the vast majority of + web servers being hideously misconfigured. See DefaultSettings.php for more details. == Compatibility == diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 22b4944035..1109a2f29a 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -1951,4 +1951,13 @@ $wgAllowDisplayTitle = false ; */ $wgReservedUsernames = array( 'MediaWiki default', 'Conversion script' ); +/** + * MediaWiki will reject HTMLesque tags in uploaded files due to idiotic browsers which can't + * perform basic stuff like MIME detection and which are vulnerable to further idiots uploading + * crap files as images. When this directive is on, <title> will be allowed in files with + * an "image/svg" MIME type. You should leave this disabled if your web server is misconfigured + * and doesn't send appropriate MIME types for SVG images. + */ +$wgAllowTitlesInSVG = false; + ?> diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php index f08b6e1c7e..ef695f3ea4 100644 --- a/includes/SpecialUpload.php +++ b/includes/SpecialUpload.php @@ -845,6 +845,7 @@ class UploadForm { * @return bool true if the file contains something looking like embedded scripts */ function detectScript($file,$mime) { + global $wgAllowTitlesInSVG; #ugly hack: for text files, always look at the entire file. #For binarie field, just check the first K. @@ -899,9 +900,10 @@ class UploadForm { '<img', '<pre', '<script', #also in safari - '<table', - '<title' #also in safari + '<table' ); + if( $mime != 'image/svg' || !$wgAllowTitlesInSVG ) + $tags[] = '<title'; foreach( $tags as $tag ) { if( false !== strpos( $chunk, $tag ) ) {