From ff4ed6aefb0570f8061758ab30f02d41af1227da Mon Sep 17 00:00:00 2001 From: Tyler Romeo Date: Tue, 30 Dec 2014 15:24:04 -0500 Subject: [PATCH] [PATCH] SECURITY: Make SVG @import checking case insensitive @import in embedded CSS is case-insensitive, meaning an attacker can put "@iMpOrT" and it should still work. This uses stripos instead of strpos to make the check case insensitive. Bug: T85349 Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1 --- includes/upload/UploadBase.php | 2 +- tests/phpunit/includes/upload/UploadBaseTest.php | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index 4c96dc8..0aabaea 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -1571,7 +1571,7 @@ abstract class UploadBase { private static function checkCssFragment( $value ) { # Forbid external stylesheets, for both reliability and to protect viewer's privacy - if ( strpos( $value, '@import' ) !== false ) { + if ( stripos( $value, '@import' ) !== false ) { return true; } diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index f23b264..a80155b 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -307,6 +307,12 @@ class UploadBaseTest extends MediaWikiTestCase { 'SVG with @import in style element and child element (bug 69008#c11)' ), array( + ' WebPlatform.org ', + true, + true, + 'SVG with case-insensitive @import in style element (bug T85349)' + ), + array( ' ', true, true, -- 2.2.1