From fdc70074bbe9cec0e83a2ef512c356861e60dc88 Mon Sep 17 00:00:00 2001 From: csteipp Date: Thu, 7 Jan 2016 08:13:16 -0800 Subject: [PATCH] SECURITY: Don't use m modifier when checking link prefix SVG filter incorrectly used the m modifier when checking if an href attribute started with 'https?://', incorrectly matching attributes such as, "javascript:alert(' http://foo')". Bug: T122653 Change-Id: I41291fff344241cad3171f3e8050de99b62a2296 Signed-off-by: Chad Horohoe --- includes/upload/UploadBase.php | 2 +- tests/phpunit/includes/upload/UploadBaseTest.php | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index 1185c4da61..ba5171f523 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -1422,7 +1422,7 @@ abstract class UploadBase { && strpos( $value, '#' ) !== 0 ) { if ( !( $strippedElement === 'a' - && preg_match( '!^https?://!im', $value ) ) + && preg_match( '!^https?://!i', $value ) ) ) { wfDebug( __METHOD__ . ": Found href attribute <$strippedElement " . "'$attrib'='$value' in uploaded file.\n" ); diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index ee74957c2c..287af29d79 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -374,7 +374,12 @@ class UploadBaseTest extends MediaWikiTestCase { false, 'SVG with external entity' ], - + [ + " ", + true, + true, + 'SVG with javascript link with newline (T122653)' + ], // Test good, but strange files that we want to allow [ ' ', -- 2.20.1