jenkins-bot has submitted this change and it was merged.

Change subject: Disallow css attr() with url type
......................................................................


Disallow css attr() with url type

CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."

Currently no browsers support this syntax yet, so submitting this
as a normal non-security patch.

Bug: T68404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
(cherry picked from commit 284173282d4fc25031b6ded0f696c46ecbf97338)
---
M RELEASE-NOTES-1.27
M includes/Sanitizer.php
M tests/phpunit/includes/SanitizerTest.php
3 files changed, 11 insertions(+), 0 deletions(-)

Approvals:
  Brian Wolff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index af5e25f..d3215c9 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -1,3 +1,11 @@
+== MediaWiki 1.27.2 ==
+This is not a release yet!
+
+=== Changes since 1.27.1 ===
+
+* (T68404) CSS3 attr() function with url type argument is no longer allowed
+  in inline styles.
+
 == MediaWiki 1.27.1 ==
 
 This is a maintenance release of the MediaWiki 1.27 branch.
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index d321e9f..1d46e4e 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -983,6 +983,7 @@
                                | url\s*\(
                                | image\s*\(
                                | image-set\s*\(
+                               | attr\s*\([^)]+[\s,]+url
                        !ix', $value ) ) {
                        return '/* insecure input */';
                }
diff --git a/tests/phpunit/includes/SanitizerTest.php 
b/tests/phpunit/includes/SanitizerTest.php
index 72d7166..8bc7933 100644
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -314,6 +314,8 @@
                                '/* insecure input */',
                                'background-image: -moz-image-set("asdf.png" 
1x, "asdf.png" 2x);'
                        ],
+                       [ '/* insecure input */', 'foo: attr( title, url );' ],
+                       [ '/* insecure input */', 'foo: attr( title url );' ],
                ];
        }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/316618
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_27
Gerrit-Owner: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: Jackmcbarn <jackmcb...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to