SECURITY: blacklist CSS var()

author Max Semenik <maxsem.wiki@gmail.com>

Wed, 7 Nov 2018 02:38:22 +0000 (18:38 -0800)

committer Reedy <reedy@wikimedia.org>

Thu, 6 Jun 2019 16:15:55 +0000 (16:15 +0000)
author Max Semenik <maxsem.wiki@gmail.com>
Wed, 7 Nov 2018 02:38:22 +0000 (18:38 -0800)
committer Reedy <reedy@wikimedia.org>
Thu, 6 Jun 2019 16:15:55 +0000 (16:15 +0000)
diff --git a/includes/parser/Sanitizer.php b/includes/parser/Sanitizer.php

index abf0714..f76e3a9 100644 (file)
--- a/includes/parser/Sanitizer.php
+++ b/includes/parser/Sanitizer.php
@@ -1073,6 +1073,7 @@ class Sanitizer {
                                 | image\s*\(
                                 | image-set\s*\(
                                 | attr\s*\([^)]+[\s,]+url
+                               | var\s*\(
                         !ix', $value ) ) {
                         return '/* insecure input */';
                 }
diff --git a/tests/phpunit/includes/parser/SanitizerTest.php b/tests/phpunit/includes/parser/SanitizerTest.php

index 1f6f4e8..1b67bbd 100644 (file)
--- a/tests/phpunit/includes/parser/SanitizerTest.php
+++ b/tests/phpunit/includes/parser/SanitizerTest.php
@@ -326,6 +326,7 @@ class SanitizerTest extends MediaWikiTestCase {
                         ],
                         [ '/* insecure input */', 'foo: attr( title, url );' ],
                         [ '/* insecure input */', 'foo: attr( title url );' ],
+                       [ '/* insecure input */', 'foo: var(--evil-attribute)' ],
                 ];
         }
author	Max Semenik <maxsem.wiki@gmail.com>
	Wed, 7 Nov 2018 02:38:22 +0000 (18:38 -0800)
committer	Reedy <reedy@wikimedia.org>
	Thu, 6 Jun 2019 16:15:55 +0000 (16:15 +0000)
includes/parser/Sanitizer.php		patch \| blob \| history
tests/phpunit/includes/parser/SanitizerTest.php		patch \| blob \| history