From de80f8f0aa89ac85f8875515982636e5bb08766b Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Mon, 28 Nov 2016 23:34:24 +0000 Subject: [PATCH] Security: Load default attribute values for SVG validation This prevents someone bypassing filter by using default attribute values in internal dtd subset. Note, browsers ignore external dtds, so we do too. Issue reported by Cassiogomes11. Bug: T151735 Change-Id: I7cb4690f759ad97e70e06e560978b6207d84c446 --- includes/libs/mime/XmlTypeCheck.php | 19 +++++++++++++++++-- tests/phpunit/includes/upload/UploadBaseTest.php | 18 ++++++++++++++++++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/includes/libs/mime/XmlTypeCheck.php b/includes/libs/mime/XmlTypeCheck.php index 3958f8c..b33220e 100644 --- a/includes/libs/mime/XmlTypeCheck.php +++ b/includes/libs/mime/XmlTypeCheck.php @@ -138,9 +138,9 @@ class XmlTypeCheck { private function validateFromInput( $xml, $isFile ) { $reader = new XMLReader(); if ( $isFile ) { - $s = $reader->open( $xml, null, LIBXML_NOERROR | LIBXML_NOWARNING ); + $s = $reader->open( $xml, null, LIBXML_NOERROR | LIBXML_NOWARNING | LIBXML_DTDATTR ); } else { - $s = $reader->XML( $xml, null, LIBXML_NOERROR | LIBXML_NOWARNING ); + $s = $reader->XML( $xml, null, LIBXML_NOERROR | LIBXML_NOWARNING | LIBXML_DTDATTR ); } if ( $s !== true ) { // Couldn't open the XML @@ -171,6 +171,21 @@ class XmlTypeCheck { } public function XmlErrorHandler( $errno, $errstr ) { + // Horrible hack. HHVM seems to complain about the svg dtd + // even though it isn't planning to fetch it anyways. + $svgdtd = [ + 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd', + 'http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd', + 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd', + 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-tiny.dtd' + ]; + if ( $errno === 2 ) { + foreach( $svgdtd as $dtd ) { + if ( $errstr === "Protocol 'http' for external XML entity '$dtd' is disabled for security reasons. This may be changed using the hhvm.libxml.ext_entity_whitelist ini setting." ) { + return; + } + } + } $this->wellFormed = false; } diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index 6be272f..dd2be8a 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -375,6 +375,12 @@ class UploadBaseTest extends MediaWikiTestCase { 'SVG with external entity' ], [ + ' ]> &foo; ', + false, + false, + 'SVG with data: uri external entity' + ], + [ " ", true, true, @@ -393,6 +399,18 @@ class UploadBaseTest extends MediaWikiTestCase { false, 'SVG with local urls, including filter: in style' ], + [ + ' ]> ', + true, + true, + 'SVG with evil default attribute values' + ], + [ + ' ', + true, + false, + 'SVG with an evil external dtd, but should not be loaded' + ] ]; // @codingStandardsIgnoreEnd } -- 1.9.5 (Apple Git-50.3)