From ef9efa7ae662ffa88ddf3a674750181214b5fb33 Mon Sep 17 00:00:00 2001
From: Max Semenik <maxsem.wiki@gmail.com>
Date: Tue, 6 Nov 2018 18:38:22 -0800
Subject: [PATCH] SECURITY: blacklist CSS var() and calc()

Bug: T208881
Change-Id: I9a4ced2bc47eb5f96cf35e693bf5261c48acb126
---
 includes/parser/Sanitizer.php                   | 2 ++
 tests/phpunit/includes/parser/SanitizerTest.php | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/includes/parser/Sanitizer.php b/includes/parser/Sanitizer.php
index 85c71eeb44..ecc97ffc88 100644
--- a/includes/parser/Sanitizer.php
+++ b/includes/parser/Sanitizer.php
@@ -1056,6 +1056,8 @@ class Sanitizer {
 				| image\s*\(
 				| image-set\s*\(
 				| attr\s*\([^)]+[\s,]+url
+				| calc\s*\(
+				| var\s*\(
 			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
diff --git a/tests/phpunit/includes/parser/SanitizerTest.php b/tests/phpunit/includes/parser/SanitizerTest.php
index a8b0f90a3a..83b08f1bf2 100644
--- a/tests/phpunit/includes/parser/SanitizerTest.php
+++ b/tests/phpunit/includes/parser/SanitizerTest.php
@@ -322,6 +322,8 @@ class SanitizerTest extends MediaWikiTestCase {
 			],
 			[ '/* insecure input */', 'foo: attr( title, url );' ],
 			[ '/* insecure input */', 'foo: attr( title url );' ],
+			[ '/* insecure input */', 'foo: calc(100% - 1px)' ],
+			[ '/* insecure input */', 'foo: var(--evil-attribute)' ],
 		];
 	}
 
-- 
2.17.1