From b581c9c3653b8fcea8e89732d43507cff6345d07 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 11 Jun 2014 16:29:33 -0700
Subject: [PATCH] Disallow css attr() with url type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."

Currently no browsers support this syntax yet, so submitting this
as a normal non-security patch.

Bug: T68404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
---
 RELEASE-NOTES-1.23                       | 7 +++++++
 includes/Sanitizer.php                   | 1 +
 tests/phpunit/includes/SanitizerTest.php | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 031249d..4e1116a 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -1,6 +1,13 @@
 Security reminder: MediaWiki does not require PHP's register_globals. If you
 have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.23.16 ==
+This is not a release yet!
+
+=== Changes since 1.23.15 ===
+* (T68404) CSS3 attr() function with url type is no longer allowed
+  in inline styles.
+
 == MediaWiki 1.23.15 ==
 
 This is a maintenance release of the MediaWiki 1.23 branch.
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 80740c3..8c247e3 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -951,6 +951,7 @@ class Sanitizer {
 				| url\s*\(
 				| image\s*\(
 				| image-set\s*\(
+				| attr\s*\([^)]+[\s,]+url
 			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php
index 97abf80..a00bcb6 100644
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -275,6 +275,8 @@ class SanitizerTest extends MediaWikiTestCase {
 			array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
 			array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
 			array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
+			array( '/* insecure input */', 'foo: attr( title, url );' ),
+			array( '/* insecure input */', 'foo: attr( title url );' ),
 		);
 	}
 
-- 
1.9.5 (Apple Git-50.3)