* Can be overridden by subclasses.
*
* @param User $user
- * @return bool
+ * @return bool|string
*/
public static function isAllowed( $user ) {
foreach ( array( 'upload', 'edit' ) as $permission ) {
/**
* Verify whether the upload is sane.
- * @return mixed self::OK or else an array with error information
+ * @return mixed Const self::OK or else an array with error information
*/
public function verifyUpload() {
wfProfileIn( __METHOD__ );
global $wgVerifyMimeType;
wfProfileIn( __METHOD__ );
if ( $wgVerifyMimeType ) {
- wfDebug( "\n\nmime: <$mime> extension: <{$this->mFinalExtension}>\n\n" );
+ wfDebug( "mime: <$mime> extension: <{$this->mFinalExtension}>\n" );
global $wgMimeTypeBlacklist;
if ( $this->checkFileExtension( $mime, $wgMimeTypeBlacklist ) ) {
wfProfileOut( __METHOD__ );
}
$this->mFileProps = FSFile::getPropsFromPath( $this->mTempPath, $this->mFinalExtension );
- $mime = $this->mFileProps['file-mime'];
+ $mime = $this->mFileProps['mime'];
if ( $wgVerifyMimeType ) {
# XXX: Missing extension will be caught by validateName() via getTitle()
* isAllowed() should be called as well for generic is-user-blocked or
* can-user-upload checking.
*
- * @param User $user object to verify the permissions against
+ * @param User $user User object to verify the permissions against
* @return mixed An array as returned by getUserPermissionsErrors or true
* in case the user has proper permissions.
*/
/**
* Callback to filter SVG Processing Instructions.
- * @param string $target processing instruction name
- * @param string $data processing instruction attribute and value
+ * @param string $target Processing instruction name
+ * @param string $data Processing instruction attribute and value
* @return bool (true if the filter identified something bad)
*/
public static function checkSvgPICallback( $target, $data ) {
return true;
}
- # href with javascript target
- if ( $stripped == 'href' && strpos( strtolower( $value ), 'javascript:' ) !== false ) {
- wfDebug( __METHOD__
- . ": Found script in href attribute '$attrib'='$value' in uploaded file.\n" );
+ # href with non-local target (don't allow http://, javascript:, etc)
+ if ( $stripped == 'href'
+ && strpos( $value, 'data:' ) !== 0
+ && strpos( $value, '#' ) !== 0
+ ) {
+ if ( !( $strippedElement === 'a'
+ && preg_match( '!^https?://!im', $value ) )
+ ) {
+ wfDebug( __METHOD__ . ": Found href attribute <$strippedElement "
+ . "'$attrib'='$value' in uploaded file.\n" );
- return true;
+ return true;
+ }
}
# href with embedded svg as target
dépôts / lhc / web / wiklou.git / blobdiff