X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/?a=blobdiff_plain;f=includes%2Fupload%2FUploadBase.php;h=d00ad978e7a881c25266e315a154278fad5333c6;hb=8ffabe23a195e47af2a117a2a917a280b3459255;hp=d9e8e994980d23d4edbb17ed75034484f74b3fdd;hpb=6e840bcfd4542a0873f8ec878472f71859009b4f;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index d9e8e99498..ae5b73249d 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -21,6 +21,7 @@ * @ingroup Upload */ use MediaWiki\MediaWikiServices; +use MediaWiki\Shell\Shell; /** * @defgroup Upload Upload related @@ -403,7 +404,7 @@ abstract class UploadBase { * @return mixed True if the file is verified, an array otherwise */ protected function verifyMimeType( $mime ) { - global $wgVerifyMimeType; + global $wgVerifyMimeType, $wgVerifyMimeTypeIE; if ( $wgVerifyMimeType ) { wfDebug( "mime: <$mime> extension: <{$this->mFinalExtension}>\n" ); global $wgMimeTypeBlacklist; @@ -411,17 +412,19 @@ abstract class UploadBase { return [ 'filetype-badmime', $mime ]; } - # Check what Internet Explorer would detect - $fp = fopen( $this->mTempPath, 'rb' ); - $chunk = fread( $fp, 256 ); - fclose( $fp ); - - $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer(); - $extMime = $magic->guessTypesForExtension( $this->mFinalExtension ); - $ieTypes = $magic->getIEMimeTypes( $this->mTempPath, $chunk, $extMime ); - foreach ( $ieTypes as $ieType ) { - if ( $this->checkFileExtension( $ieType, $wgMimeTypeBlacklist ) ) { - return [ 'filetype-bad-ie-mime', $ieType ]; + if ( $wgVerifyMimeTypeIE ) { + # Check what Internet Explorer would detect + $fp = fopen( $this->mTempPath, 'rb' ); + $chunk = fread( $fp, 256 ); + fclose( $fp ); + + $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer(); + $extMime = $magic->guessTypesForExtension( $this->mFinalExtension ); + $ieTypes = $magic->getIEMimeTypes( $this->mTempPath, $chunk, $extMime ); + foreach ( $ieTypes as $ieType ) { + if ( $this->checkFileExtension( $ieType, $wgMimeTypeBlacklist ) ) { + return [ 'filetype-bad-ie-mime', $ieType ]; + } } } } @@ -947,8 +950,8 @@ abstract class UploadBase { */ list( $partname, $ext ) = $this->splitExtensions( $this->mFilteredName ); - if ( count( $ext ) ) { - $this->mFinalExtension = trim( $ext[count( $ext ) - 1] ); + if ( $ext !== [] ) { + $this->mFinalExtension = trim( end( $ext ) ); } else { $this->mFinalExtension = ''; @@ -1078,10 +1081,8 @@ abstract class UploadBase { $props = $this->mFileProps; $error = null; Hooks::run( 'UploadStashFile', [ $this, $user, $props, &$error ] ); - if ( $error ) { - if ( !is_array( $error ) ) { - $error = [ $error ]; - } + if ( $error && !is_array( $error ) ) { + $error = [ $error ]; } return $error; } @@ -1169,7 +1170,7 @@ abstract class UploadBase { * scripts, so the blacklist needs to check them all. * * @param string $filename - * @return array + * @return array [ string, string[] ] */ public static function splitExtensions( $filename ) { $bits = explode( '.', $filename ); @@ -1194,9 +1195,9 @@ abstract class UploadBase { * Perform case-insensitive match against a list of file extensions. * Returns an array of matching extensions. * - * @param array $ext - * @param array $list - * @return bool + * @param string[] $ext + * @param string[] $list + * @return string[] */ public static function checkFileExtensionList( $ext, $list ) { return array_intersect( array_map( 'strtolower', $ext ), $list ); @@ -1263,12 +1264,11 @@ abstract class UploadBase { * @return bool True if the file contains something looking like embedded scripts */ public static function detectScript( $file, $mime, $extension ) { - global $wgAllowTitlesInSVG; - # ugly hack: for text files, always look at the entire file. # For binary field, just check the first K. - if ( strpos( $mime, 'text/' ) === 0 ) { + $isText = strpos( $mime, 'text/' ) === 0; + if ( $isText ) { $chunk = file_get_contents( $file ); } else { $fp = fopen( $file, 'rb' ); @@ -1313,36 +1313,19 @@ abstract class UploadBase { } } - /** - * Internet Explorer for Windows performs some really stupid file type - * autodetection which can cause it to interpret valid image files as HTML - * and potentially execute JavaScript, creating a cross-site scripting - * attack vectors. - * - * Apple's Safari browser also performs some unsafe file type autodetection - * which can cause legitimate files to be interpreted as HTML if the - * web server is not correctly configured to send the right content-type - * (or if you're really uploading plain text and octet streams!) - * - * Returns true if IE is likely to mistake the given file for HTML. - * Also returns true if Safari would mistake the given file for HTML - * when served with a generic content-type. - */ + // Quick check for HTML heuristics in old IE and Safari. + // + // The exact heuristics IE uses are checked separately via verifyMimeType(), so we + // don't need them all here as it can cause many false positives. + // + // Check for `mSVGNSError = false; @@ -1479,7 +1462,7 @@ abstract class UploadBase { * Callback to filter SVG Processing Instructions. * @param string $target Processing instruction name * @param string $data Processing instruction attribute and value - * @return bool (true if the filter identified something bad) + * @return bool|array */ public static function checkSvgPICallback( $target, $data ) { // Don't allow external stylesheets (T59550) @@ -1526,7 +1509,7 @@ abstract class UploadBase { * @param string $element * @param array $attribs * @param array|null $data - * @return bool + * @return bool|array */ public function checkSvgScriptCallback( $element, $attribs, $data = null ) { list( $namespace, $strippedElement ) = $this->splitXmlNamespace( $element ); @@ -1837,7 +1820,7 @@ abstract class UploadBase { * $wgAntivirusRequired may be used to deny upload if the scan fails. * * @param string $file Pathname to the temporary upload file - * @return mixed False if not virus is found, null if the scan fails or is disabled, + * @return bool|null|string False if not virus is found, null if the scan fails or is disabled, * or a string containing feedback from the virus scanner if a virus was found. * If textual feedback is missing but a virus was found, this function returns true. */ @@ -1865,10 +1848,10 @@ abstract class UploadBase { if ( strpos( $command, "%f" ) === false ) { # simple pattern: append file to scan - $command .= " " . wfEscapeShellArg( $file ); + $command .= " " . Shell::escape( $file ); } else { # complex pattern: replace "%f" with file to scan - $command = str_replace( "%f", wfEscapeShellArg( $file ), $command ); + $command = str_replace( "%f", Shell::escape( $file ), $command ); } wfDebug( __METHOD__ . ": running virus scan: $command \n" ); @@ -1916,10 +1899,8 @@ abstract class UploadBase { $output = true; # if there's no output, return true } elseif ( $msgPattern ) { $groups = []; - if ( preg_match( $msgPattern, $output, $groups ) ) { - if ( $groups[1] ) { - $output = $groups[1]; - } + if ( preg_match( $msgPattern, $output, $groups ) && $groups[1] ) { + $output = $groups[1]; } } @@ -1935,7 +1916,7 @@ abstract class UploadBase { * * @param User $user * - * @return mixed True on success, array on failure + * @return bool|array */ private function checkOverwrite( $user ) { // First check whether the local file can be overwritten @@ -2088,10 +2069,10 @@ abstract class UploadBase { $partname = $n ? substr( $filename, 0, $n ) : $filename; return ( - substr( $partname, 3, 3 ) == 'px-' || - substr( $partname, 2, 3 ) == 'px-' - ) && - preg_match( "/[0-9]{2}/", substr( $partname, 0, 2 ) ); + substr( $partname, 3, 3 ) == 'px-' || + substr( $partname, 2, 3 ) == 'px-' + ) && + preg_match( "/[0-9]{2}/", substr( $partname, 0, 2 ) ); } /**