Brian Wolff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/316714

Change subject: Disallow css attr() with url type
......................................................................

Disallow css attr() with url type

CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."

Currently no browsers support this syntax yet, so submitting this
as a normal non-security patch.

Bug: T68404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
---
M RELEASE-NOTES-1.23
M includes/Sanitizer.php
M tests/phpunit/includes/SanitizerTest.php
3 files changed, 10 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/14/316714/1

diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 031249d..4e1116a 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -1,6 +1,13 @@
 Security reminder: MediaWiki does not require PHP's register_globals. If you
 have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.23.16 ==
+This is not a release yet!
+
+=== Changes since 1.23.15 ===
+* (T68404) CSS3 attr() function with url type is no longer allowed
+  in inline styles.
+
 == MediaWiki 1.23.15 ==
 
 This is a maintenance release of the MediaWiki 1.23 branch.
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 80740c3..8c247e3 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -951,6 +951,7 @@
                                | url\s*\(
                                | image\s*\(
                                | image-set\s*\(
+                               | attr\s*\([^)]+[\s,]+url
                        !ix', $value ) ) {
                        return '/* insecure input */';
                }
diff --git a/tests/phpunit/includes/SanitizerTest.php 
b/tests/phpunit/includes/SanitizerTest.php
index 97abf80..a00bcb6 100644
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -275,6 +275,8 @@
                        array( '/* insecure input */', 'background-image: 
image-set("asdf.png" 1x, "asdf.png" 2x);' ),
                        array( '/* insecure input */', 'background-image: 
-webkit-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
                        array( '/* insecure input */', 'background-image: 
-moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
+                       array( '/* insecure input */', 'foo: attr( title, url 
);' ),
+                       array( '/* insecure input */', 'foo: attr( title url 
);' ),
                );
        }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/316714
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to