From 7cc9e822fe67d8c829162603c16b5acf2f3e7893 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Tue, 13 Jan 2015 16:48:01 -0800
Subject: [PATCH] SECURITY: Fix animate blacklist

The blacklist should prevent animating any element's xlink:href to a
javascript url.

Bug: T86711
Change-Id: Ia9e9192165fdfe1701f22605eee0b0e5c9137d5a
---
 includes/upload/UploadBase.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index db96ca3..06375f8 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1222,11 +1222,10 @@ abstract class UploadBase {
 				}
 			}
 
-			# Change href with animate from (http://html5sec.org/#137). This doesn't seem
-			# possible without embedding the svg, but filter here in case.
-			if ( $stripped == 'from'
+			# Change href with animate from (http://html5sec.org/#137).
+			if ( $stripped === 'attributename'
 				&& $strippedElement === 'animate'
-				&& !preg_match( '!^https?://!im', $value )
+				&& $this->stripXmlNamespace( $value ) == 'href'
 			) {
 				wfDebug( __METHOD__ . ": Found animate that might be changing href using from "
 					. "\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" );
-- 
1.8.4.5