SECURITY: Disallow -o-link in styles

author csteipp <csteipp@wikimedia.org>

Tue, 14 Jan 2014 06:12:28 +0000 (22:12 -0800)

committer csteipp <csteipp@wikimedia.org>

Tue, 14 Jan 2014 06:12:28 +0000 (22:12 -0800)
author csteipp <csteipp@wikimedia.org>
Tue, 14 Jan 2014 06:12:28 +0000 (22:12 -0800)
committer csteipp <csteipp@wikimedia.org>
Tue, 14 Jan 2014 06:12:28 +0000 (22:12 -0800)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php

index 7461a8b..0de8cda 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -926,9 +926,16 @@ class Sanitizer {
                 if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
                         return '/* invalid control char */';
                 } elseif ( preg_match(
-                       '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix',
-                       $value
-               ) ) {
+                       '! expression
+                               | filter\s*:
+                               | accelerator\s*:
+                               | -o-link\s*:
+                               | -o-link-source\s*:
+                               | -o-replace\s*:
+                               | url\s*\(
+                               | image\s*\(
+                               | image-set\s*\(
+                       !ix', $value ) ) {
                         return '/* insecure input */';
                 }
                 return $value;
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt

index 6dff54e..d853889 100644 (file)
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -12160,6 +12160,17 @@ MSIE CSS safety test: sup/sub script
  
  !! end
  
+!! test
+Opera -o-link CSS
+!! input
+<div
+title="&#100;&#97;&#116;&#97;&#58;&#116;&#101;&#120;&#116;&#47;&#104;&#116;&#109;&#108;&#44;&#60;&#105;&#109;&#103;&#32;&#115;&#114;&#99;&#61;&#49;&#32;&#111;&#110;&#101;&#114;&#114;&#111;&#114;&#61;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#62;"
+style="-o-link:attr(title);-o-link-source:current">X</div>
+!! result
+<div title="data:text/html,&lt;img src=1 onerror=alert(1)&gt;" style="/* insecure input */">X</div>
+
+!! end
+
  !! test
  MSIE CSS safety test: Repetition markers
  !! input
author	csteipp <csteipp@wikimedia.org>
	Tue, 14 Jan 2014 06:12:28 +0000 (22:12 -0800)
committer	csteipp <csteipp@wikimedia.org>
	Tue, 14 Jan 2014 06:12:28 +0000 (22:12 -0800)
includes/Sanitizer.php		patch \| blob \| history
tests/parser/parserTests.txt		patch \| blob \| history