[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_26]: Disallow css attr() with url type

Tue, 18 Oct 2016 12:54:13 -0700 

Brian Wolff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/316621

Change subject: Disallow css attr() with url type
......................................................................

Disallow css attr() with url type

CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."

Currently no browsers support this syntax yet, so submitting this
as a normal non-security patch.

Bug: T68404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
---
M RELEASE-NOTES-1.26
M includes/Sanitizer.php
M tests/phpunit/includes/SanitizerTest.php
3 files changed, 10 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/21/316621/1

diff --git a/RELEASE-NOTES-1.26 b/RELEASE-NOTES-1.26
index f5f2936..7dd56a7 100644
--- a/RELEASE-NOTES-1.26
+++ b/RELEASE-NOTES-1.26
@@ -1,6 +1,13 @@
 Security reminder: If you have PHP's register_globals option set, you must
 turn it off. MediaWiki will not work with it enabled.
 
+== MediaWiki 1.26.5 ==
+This is not yet a release!
+
+=== Changes since 1.26.4 ===
+* (T68404) CSS3 attr() function with url type is no longer allowed
+  in inline styles.
+
 == MediaWiki 1.26.4 ==
 
 This is a maintenance release of the MediaWiki 1.26 branch.
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index de63af7..15ea9b2 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -974,6 +974,7 @@
                                | url\s*\(
                                | image\s*\(
                                | image-set\s*\(
+                               | attr\s*\([^)]+[\s,]+url
                        !ix', $value ) ) {
                        return '/* insecure input */';
                }
diff --git a/tests/phpunit/includes/SanitizerTest.php 
b/tests/phpunit/includes/SanitizerTest.php
index d3dc512..3ebf8a2 100644
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -314,6 +314,8 @@
                                '/* insecure input */',
                                'background-image: -moz-image-set("asdf.png" 
1x, "asdf.png" 2x);'
                        ),
+                       array( '/* insecure input */', 'foo: attr( title, url 
);' ),
+                       array( '/* insecure input */', 'foo: attr( title url 
);' ),
                );
        }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/316621
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_26
Gerrit-Owner: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to