From bf5f708dc52503a2981cd8f059708f0f773b218d Mon Sep 17 00:00:00 2001 From: csteipp Date: Mon, 12 Jan 2015 17:00:45 -0800 Subject: [PATCH] SECURITY: Don't allow embedded application/xml in SVG's Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got around our blacklist on embedded href targets. Use a whitelist instead. Bug: T85850 Change-Id: I17b7ed65935b818695a83fd901fcaf90fffecf28 --- includes/upload/UploadBase.php | 24 ++++++++----------- .../includes/upload/UploadBaseTest.php | 13 ++++++++++ 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index a001fea8c1..8c3f1740a2 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -1412,20 +1412,16 @@ abstract class UploadBase { } } - # href with embedded svg as target - if ( $stripped == 'href' && preg_match( '!data:[^,]*image/svg[^,]*,!sim', $value ) ) { - wfDebug( __METHOD__ . ": Found href to embedded svg " - . "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" ); - - return true; - } - - # href with embedded (text/xml) svg as target - if ( $stripped == 'href' && preg_match( '!data:[^,]*text/xml[^,]*,!sim', $value ) ) { - wfDebug( __METHOD__ . ": Found href to embedded svg " - . "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" ); - - return true; + # only allow data: targets that should be safe. This prevents vectors like, + # image/svg, text/xml, application/xml, and text/html, which can contain scripts + if ( $stripped == 'href' && strncasecmp( 'data:', $value, 5 ) === 0 ) { + // rfc2397 parameters. This is only slightly slower than (;[\w;]+)*. + $parameters = '(?>;[a-zA-Z0-9\!#$&\'*+.^_`{|}~-]+=(?>[a-zA-Z0-9\!#$&\'*+.^_`{|}~-]+|"(?>[\0-\x0c\x0e-\x21\x23-\x5b\x5d-\x7f]+|\\\\[\0-\x7f])*"))*(?:;base64)?'; + if ( !preg_match( "!^data:\s*image/(gif|jpeg|jpg|png)$parameters,!i", $value ) ) { + wfDebug( __METHOD__ . ": Found href to unwhitelisted data: uri " + . "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" ); + return true; + } } # Change href with animate from (http://html5sec.org/#137). This doesn't seem diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index dd43af9444..8c5c9236a9 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -162,6 +162,12 @@ class UploadBaseTest extends MediaWikiTestCase { true, 'SVG with javascript xlink (http://html5sec.org/#87)' ), + array( + ' ', + true, + true, + 'SVG with Opera image xlink (http://html5sec.org/#88 - c)' + ), array( ' ', true, @@ -337,6 +343,13 @@ class UploadBaseTest extends MediaWikiTestCase { true, 'SVG with remote background image using image() (bug 69008)' ), + array( + // As reported by Cure53 + ' ', + true, + true, + 'SVG with data:text/html link target (firefox only)' + ), // Test good, but strange files that we want to allow array( -- 2.20.1