From: Max Semenik <maxsem.wiki@gmail.com>
Date: Wed, 7 Nov 2018 02:38:22 +0000 (-0800)
Subject: SECURITY: blacklist CSS var()
X-Git-Tag: 1.31.2~8
X-Git-Url: http://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=d135b6ebe5a79a6b3d0e03fe2bd11747b971ff68

SECURITY: blacklist CSS var()

Bug: T208881
Change-Id: I9a4ced2bc47eb5f96cf35e693bf5261c48acb126
---

diff --git a/includes/parser/Sanitizer.php b/includes/parser/Sanitizer.php
index b13e59787f..0b3a07b0f5 100644
--- a/includes/parser/Sanitizer.php
+++ b/includes/parser/Sanitizer.php
@@ -1054,6 +1054,7 @@ class Sanitizer {
 				| image\s*\(
 				| image-set\s*\(
 				| attr\s*\([^)]+[\s,]+url
+				| var\s*\(
 			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
diff --git a/tests/phpunit/includes/parser/SanitizerTest.php b/tests/phpunit/includes/parser/SanitizerTest.php
index 6590338d36..35b81fb91e 100644
--- a/tests/phpunit/includes/parser/SanitizerTest.php
+++ b/tests/phpunit/includes/parser/SanitizerTest.php
@@ -322,6 +322,7 @@ class SanitizerTest extends MediaWikiTestCase {
 			],
 			[ '/* insecure input */', 'foo: attr( title, url );' ],
 			[ '/* insecure input */', 'foo: attr( title url );' ],
+			[ '/* insecure input */', 'foo: var(--evil-attribute)' ],
 		];
 	}