X-Git-Url: https://git.cyclocoop.org/%27.WWW_URL.%27admin/?a=blobdiff_plain;f=includes%2Fupload%2FUploadBase.php;h=e74f52083c3f3cbf51ddb5276f3ecfe8a65c66e1;hb=dcdf45010d92ac758bc3d8e2873e7a86680a154e;hp=b8ca434038364b089df36497c7b76da74296e1b6;hpb=2a18dbc731aeeb061a1edcbbc411d1e255b41db4;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index b8ca434038..e74f52083c 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -118,7 +118,7 @@ abstract class UploadBase { * Can be overridden by subclasses. * * @param User $user - * @return bool + * @return bool|string */ public static function isAllowed( $user ) { foreach ( array( 'upload', 'edit' ) as $permission ) { @@ -283,7 +283,7 @@ abstract class UploadBase { /** * Verify whether the upload is sane. - * @return mixed self::OK or else an array with error information + * @return mixed Const self::OK or else an array with error information */ public function verifyUpload() { wfProfileIn( __METHOD__ ); @@ -388,7 +388,7 @@ abstract class UploadBase { global $wgVerifyMimeType; wfProfileIn( __METHOD__ ); if ( $wgVerifyMimeType ) { - wfDebug( "\n\nmime: <$mime> extension: <{$this->mFinalExtension}>\n\n" ); + wfDebug( "mime: <$mime> extension: <{$this->mFinalExtension}>\n" ); global $wgMimeTypeBlacklist; if ( $this->checkFileExtension( $mime, $wgMimeTypeBlacklist ) ) { wfProfileOut( __METHOD__ ); @@ -435,7 +435,7 @@ abstract class UploadBase { } $this->mFileProps = FSFile::getPropsFromPath( $this->mTempPath, $this->mFinalExtension ); - $mime = $this->mFileProps['file-mime']; + $mime = $this->mFileProps['mime']; if ( $wgVerifyMimeType ) { # XXX: Missing extension will be caught by validateName() via getTitle() @@ -593,7 +593,7 @@ abstract class UploadBase { * isAllowed() should be called as well for generic is-user-blocked or * can-user-upload checking. * - * @param User $user object to verify the permissions against + * @param User $user User object to verify the permissions against * @return mixed An array as returned by getUserPermissionsErrors or true * in case the user has proper permissions. */ @@ -1276,8 +1276,8 @@ abstract class UploadBase { /** * Callback to filter SVG Processing Instructions. - * @param string $target processing instruction name - * @param string $data processing instruction attribute and value + * @param string $target Processing instruction name + * @param string $data Processing instruction attribute and value * @return bool (true if the filter identified something bad) */ public static function checkSvgPICallback( $target, $data ) { @@ -1390,12 +1390,19 @@ abstract class UploadBase { return true; } - # href with javascript target - if ( $stripped == 'href' && strpos( strtolower( $value ), 'javascript:' ) !== false ) { - wfDebug( __METHOD__ - . ": Found script in href attribute '$attrib'='$value' in uploaded file.\n" ); + # href with non-local target (don't allow http://, javascript:, etc) + if ( $stripped == 'href' + && strpos( $value, 'data:' ) !== 0 + && strpos( $value, '#' ) !== 0 + ) { + if ( !( $strippedElement === 'a' + && preg_match( '!^https?://!im', $value ) ) + ) { + wfDebug( __METHOD__ . ": Found href attribute <$strippedElement " + . "'$attrib'='$value' in uploaded file.\n" ); - return true; + return true; + } } # href with embedded svg as target