From: Tyler Romeo Date: Tue, 30 Dec 2014 20:24:04 +0000 (-0500) Subject: SECURITY: Make SVG @import checking case insensitive X-Git-Tag: 1.31.0-rc.0~11904 X-Git-Url: https://git.cyclocoop.org/%27.%24link.%27?a=commitdiff_plain;h=b813539d6d802a2a3fa58684fca63f87e8135c03;p=lhc%2Fweb%2Fwiklou.git SECURITY: Make SVG @import checking case insensitive @import in embedded CSS is case-insensitive, meaning an attacker can put "@iMpOrT" and it should still work. This uses stripos instead of strpos to make the check case insensitive. Bug: T85349 Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1 --- diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index a79526e0fb..a001fea8c1 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -1524,7 +1524,7 @@ abstract class UploadBase { private static function checkCssFragment( $value ) { # Forbid external stylesheets, for both reliability and to protect viewer's privacy - if ( strpos( $value, '@import' ) !== false ) { + if ( stripos( $value, '@import' ) !== false ) { return true; } diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index 63ad8c0555..dd43af9444 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -305,6 +305,12 @@ class UploadBaseTest extends MediaWikiTestCase { true, 'SVG with @import in style element and child element (bug 69008#c11)' ), + array( + ' WebPlatform.org ', + true, + true, + 'SVG with case-insensitive @import in style element (bug T85349)' + ), array( ' ', true,