From c728e37b0e6526c7de15aa49b6d56e7ff5d400c6 Mon Sep 17 00:00:00 2001 From: csteipp Date: Mon, 23 Mar 2015 18:18:16 -0700 Subject: [PATCH] SECURITY: Don't allow embedded application/xml in SVG's Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got around our blacklist on embedded href targets. Use a whitelist instead. Bug: T85850 --- includes/upload/UploadBase.php | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index 1f893c5..db96ca3 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -1210,16 +1210,16 @@ abstract class UploadBase { } } - # href with embeded svg as target - if( $stripped == 'href' && preg_match( '!data:[^,]*image/svg[^,]*,!sim', $value ) ) { - wfDebug( __METHOD__ . ": Found href to embedded svg \"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" ); - return true; - } - - # href with embeded (text/xml) svg as target - if( $stripped == 'href' && preg_match( '!data:[^,]*text/xml[^,]*,!sim', $value ) ) { - wfDebug( __METHOD__ . ": Found href to embedded svg \"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" ); - return true; + # only allow data: targets that should be safe. This prevents vectors like, + # image/svg, text/xml, application/xml, and text/html, which can contain scripts + if ( $stripped == 'href' && strncasecmp( 'data:', $value, 5 ) === 0 ) { + // rfc2397 parameters. This is only slightly slower than (;[\w;]+)*. + $parameters = '(?>;[a-zA-Z0-9\!#$&\'*+.^_`{|}~-]+=(?>[a-zA-Z0-9\!#$&\'*+.^_`{|}~-]+|"(?>[\0-\x0c\x0e-\x21\x23-\x5b\x5d-\x7f]+|\\\\[\0-\x7f])*"))*(?:;base64)?'; + if ( !preg_match( "!^data:\s*image/(gif|jpeg|jpg|png)$parameters,!i", $value ) ) { + wfDebug( __METHOD__ . ": Found href to unwhitelisted data: uri " + . "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" ); + return true; + } } # Change href with animate from (http://html5sec.org/#137). This doesn't seem -- 1.8.4.5