return array( 'uploadscripted' );
}
if ( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) {
- if ( $this->detectScriptInSvg( $this->mTempPath ) ) {
+ $svgStatus = $this->detectScriptInSvg( $this->mTempPath );
+ if ( $svgStatus !== false ) {
wfProfileOut( __METHOD__ );
- return array( 'uploadscripted' );
+ return $svgStatus;
}
}
}
/**
* @param $filename string
- * @return bool
+ * @return mixed false of the file is verified (does not contain scripts), array otherwise.
*/
protected function detectScriptInSvg( $filename ) {
$check = new XmlTypeCheck(
true,
array( 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' )
);
- return $check->filterMatch;
+ if ( $check->wellFormed !== true ) {
+ // Invalid xml (bug 58553)
+ return array( 'uploadinvalidxml' );
+ } elseif ( $check->filterMatch ) {
+ return array( 'uploadscripted' );
+ }
+ return false;
}
/**
'php-uploaddisabledtext' => 'File uploads are disabled in PHP.
Please check the file_uploads setting.',
'uploadscripted' => 'This file contains HTML or script code that may be erroneously interpreted by a web browser.',
+'uploadinvalidxml' => 'The XML in the uploaded file could not be parsed.',
'uploadvirus' => 'The file contains a virus!
Details: $1',
'uploadjava' => 'The file is a ZIP file that contains a Java .class file.
* {{msg-mw|zip-wrong-format}}
* {{msg-mw|uploadjava}}
* {{msg-mw|uploadvirus}}',
+'uploadinvalidxml' => 'Error message displayed when the uploaded file contains XML that cannot be properly parsed and checked.',
'uploadvirus' => 'Error message displayed when uploaded file contains a virus.
Parameters: