$file = $this->getLocalFile();
foreach ( $sizes as $size ) {
- if ( $file->isVectorized()
- || $file->getWidth() > $size ) {
- $jobs[] = new ThumbnailRenderJob( $file->getTitle(), array(
- 'transformParams' => array( 'width' => $size ),
- ) );
+ if ( $file->isVectorized() || $file->getWidth() > $size ) {
+ $jobs[] = new ThumbnailRenderJob(
+ $file->getTitle(),
+ array( 'transformParams' => array( 'width' => $size ) )
+ );
}
}
// detect the encoding in case is specifies an encoding not whitelisted in self::$safeXmlEncodings
$attemptEncodings = array( 'UTF-16', 'UTF-16BE', 'UTF-32', 'UTF-32BE' );
foreach ( $attemptEncodings as $encoding ) {
- wfSuppressWarnings();
+ MediaWiki\suppressWarnings();
$str = iconv( $encoding, 'UTF-8', $contents );
- wfRestoreWarnings();
+ MediaWiki\restoreWarnings();
if ( $str != '' && preg_match( "!<\?xml\b(.*?)\?>!si", $str, $matches ) ) {
if ( preg_match( $encodingRegex, $matches[1], $encMatch )
&& !in_array( strtoupper( $encMatch[1] ), self::$safeXmlEncodings )
return array( 'uploadscriptednamespace', $this->mSVGNSError );
}
- return array( 'uploadscripted' );
+ return $check->filterMatchType;
}
return false;
public static function checkSvgPICallback( $target, $data ) {
// Don't allow external stylesheets (bug 57550)
if ( preg_match( '/xml-stylesheet/i', $target ) ) {
- return true;
+ return array( 'upload-scripted-pi-callback' );
}
return false;
if ( $strippedElement == 'script' ) {
wfDebug( __METHOD__ . ": Found script element '$element' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-script-svg', $strippedElement );
}
# e.g., <svg xmlns="http://www.w3.org/2000/svg">
if ( $strippedElement == 'handler' ) {
wfDebug( __METHOD__ . ": Found scriptable element '$element' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-script-svg', $strippedElement );
}
# SVG reported in Feb '12 that used xml:stylesheet to generate javascript block
if ( $strippedElement == 'stylesheet' ) {
wfDebug( __METHOD__ . ": Found scriptable element '$element' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-script-svg', $strippedElement );
}
# Block iframes, in case they pass the namespace check
if ( $strippedElement == 'iframe' ) {
wfDebug( __METHOD__ . ": iframe in uploaded file.\n" );
- return true;
+ return array( 'uploaded-script-svg', $strippedElement );
}
# Check <style> css
&& self::checkCssFragment( Sanitizer::normalizeCss( $data ) )
) {
wfDebug( __METHOD__ . ": hostile css in style element.\n" );
- return true;
+ return array( 'uploaded-hostile-svg' );
}
foreach ( $attribs as $attrib => $value ) {
wfDebug( __METHOD__
. ": Found event-handler attribute '$attrib'='$value' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-event-handler-on-svg', $attrib, $value );
}
# href with non-local target (don't allow http://, javascript:, etc)
wfDebug( __METHOD__ . ": Found href attribute <$strippedElement "
. "'$attrib'='$value' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-href-attribute-svg', $strippedElement, $attrib, $value );
}
}
if ( !preg_match( "!^data:\s*image/(gif|jpeg|jpg|png)$parameters,!i", $value ) ) {
wfDebug( __METHOD__ . ": Found href to unwhitelisted data: uri "
. "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" );
- return true;
+ return array( 'uploaded-href-unsafe-target-svg', $strippedElement, $attrib, $value );
}
}
wfDebug( __METHOD__ . ": Found animate that might be changing href using from "
. "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" );
- return true;
+ return array( 'uploaded-animate-svg', $strippedElement, $attrib, $value );
}
# use set/animate to add event-handler attribute to parent
wfDebug( __METHOD__ . ": Found svg setting event-handler attribute with "
. "\"<$strippedElement $stripped='$value'...\" in uploaded file.\n" );
- return true;
+ return array( 'uploaded-setting-event-handler-svg', $strippedElement, $stripped, $value );
}
# use set to add href attribute to parent element
) {
wfDebug( __METHOD__ . ": Found svg setting href attribute '$value' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-setting-href-svg' );
}
# use set to add a remote / data / script target to an element
) {
wfDebug( __METHOD__ . ": Found svg setting attribute to '$value' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-wrong-setting-svg', $value );
}
# use handler attribute with remote / data / script
wfDebug( __METHOD__ . ": Found svg setting handler with remote/data/script "
. "'$attrib'='$value' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-setting-handler-svg', $attrib, $value );
}
# use CSS styles to bring in remote code
) {
wfDebug( __METHOD__ . ": Found svg setting a style with "
. "remote url '$attrib'='$value' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-remote-url-svg', $attrib, $value );
}
# Several attributes can include css, css character escaping isn't allowed
) {
wfDebug( __METHOD__ . ": Found svg setting a style with "
. "remote url '$attrib'='$value' in uploaded file.\n" );
- return true;
+ return array( 'uploaded-remote-url-svg', $attrib, $value );
}
# image filters can pull in url, which could be svg that executes scripts
wfDebug( __METHOD__ . ": Found image filter with url: "
. "\"<$strippedElement $stripped='$value'...\" in uploaded file.\n" );
- return true;
+ return array( 'uploaded-image-filter-svg', $strippedElement, $stripped, $value );
}
}