git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Brian Wolff <bawolff+wn@gmail.com>
	Mon, 28 Nov 2016 23:34:24 +0000 (23:34 +0000)
committer	Chad Horohoe <chadh@wikimedia.org>
	Thu, 6 Apr 2017 20:43:04 +0000 (13:43 -0700)
commit	bc31c5bd57e5f58c204113ef651d8fa172122c47
tree	66530c7737258eba4ce9820ca135bf18e17ef067	tree \| snapshot
parent	288512618ee57477ed5f01a97e11de229cbe32bb	commit \| diff

SECURITY: Whitelist DTD declaration in SVG

Only allow ENTITY declarations inside the doctype internal
subset. Do not allow parameter entities, recursive entity
references are entity values longer than 255 bytes, or
external entity references. Filter external doctype subset
to only allow the standard svg doctypes.

Recursive entities that are simple aliases are allowed
because people appear to use them on commons. Declaring
xmlns:xlink to have a #FIXED value to the xlink namespace
is allowed because GraphViz apparently does that so its
somewhat common.

This prevents someone bypassing filter by using default
attribute values in internal dtd subset. No browser loads
the external dtd subset that I could find, but whitelist
just to be safe anyways.

Issue reported by Cassiogomes11.

Bug: T151735
Change-Id: I7cb4690f759ad97e70e06e560978b6207d84c446

RELEASE-NOTES-1.29		diff \| blob \| history
includes/libs/mime/XmlTypeCheck.php		diff \| blob \| history
includes/upload/UploadBase.php		diff \| blob \| history
languages/i18n/en.json		diff \| blob \| history
languages/i18n/qqq.json		diff \| blob \| history
tests/phpunit/includes/upload/UploadBaseTest.php		diff \| blob \| history