From e800a985bdee8db3cc6fcf00370187fc40f04cef Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Thu, 7 Jan 2016 08:13:16 -0800
Subject: [PATCH] SECURITY: Don't use m modifier when checking link prefix

SVG filter incorrectly used the m modifier when checking if an href
attribute started with 'https?://', incorrectly matching attributes
such as, "javascript:alert('&#10;http://foo')".

Bug: T122653
Change-Id: I41291fff344241cad3171f3e8050de99b62a2296
---
 includes/upload/UploadBase.php                   | 2 +-
 tests/phpunit/includes/upload/UploadBaseTest.php | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 9e11374..953bc47 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1413,7 +1413,7 @@ abstract class UploadBase {
 				&& strpos( $value, '#' ) !== 0
 			) {
 				if ( !( $strippedElement === 'a'
-					&& preg_match( '!^https?://!im', $value ) )
+					&& preg_match( '!^https?://!i', $value ) )
 				) {
 					wfDebug( __METHOD__ . ": Found href attribute <$strippedElement "
 						. "'$attrib'='$value' in uploaded file.\n" );
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index 9441b77..a3f8ae4 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -374,6 +374,12 @@ class UploadBaseTest extends MediaWikiTestCase {
 				false,
 				'SVG with external entity'
 			),
+			array(
+				"<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"> <g> <a xlink:href=\"javascript:alert('1&#10;https://google.com')\"> <rect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,2)\" /> </a> </g> </svg>",
+				true,
+				true,
+				'SVG with javascript <a> link with newline (T122653)'
+			),
 
 			// Test good, but strange files that we want to allow
 			array(
-- 
2.8.1