From 3329d18dbf25dbca3215627bbb010150e8256018 Mon Sep 17 00:00:00 2001 From: csteipp Date: Thu, 4 Sep 2014 16:05:47 -0700 Subject: [PATCH] SECURITY: Enhance CSS filtering in SVG files * Filter WebPlatform.org ', + true, + true, + 'SVG with @import in style element (bug 69008)' + ), + array( + ' WebPlatform.org ', + true, + true, + 'SVG with @import in style element and child element (bug 69008#c11)' + ), + array( + ' ', + true, + true, + 'SVG with remote background image (bug 69008)' + ), + array( + ' ', + true, + true, + 'SVG with remote background image, encoded (bug 69008)' + ), + array( + ' ', + true, + true, + 'SVG with remote background image, in style element (bug 69008)' + ), + array( + // This currently doesn't seem to work in any browsers, but in case + // http://www.w3.org/TR/css3-images/ is implemented for SVG files + ' ', + true, + true, + 'SVG with remote background image using image() (bug 69008)' + ), + + // Test good, but strange files that we want to allow + array( + ' ', + true, + false, + 'SVG with link to a remote site' + ), + array( + ' 12345 ', + true, + false, + 'SVG with local urls, including filter: in style' + ), + + ); + } } class UploadTestHandler extends UploadBase { @@ -143,4 +367,19 @@ class UploadTestHandler extends UploadBase { $this->getTitle(); return $this->mTitleError; } + + /** + * Almost the same as UploadBase::detectScriptInSvg, except it's + * public, works on an xml string instead of filename, and returns + * the result instead of interpreting them. + */ + public function checkSvgString( $svg ) { + $check = new XmlTypeCheck( + $svg, + array( $this, 'checkSvgScriptCallback' ), + false, + array( 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' ) + ); + return array( $check->wellFormed, $check->filterMatch ); + } } -- 1.8.4.5