Umherirrender has submitted this change and it was merged. Change subject: Disallow css attr() with url type ......................................................................
Disallow css attr() with url type CSS3 seems like it will extend the attr() function which can interpret attribute as different types, including 'url', which "...is interpreted as a quoted string within the ‘url()’ notation." Currently no browsers support this syntax yet, so submitting this as a normal non-security patch. Bug: T68404 Change-Id: Icdae989764754c985a9292d62efae7cc47009df5 --- M RELEASE-NOTES-1.26 M includes/Sanitizer.php M tests/phpunit/includes/SanitizerTest.php 3 files changed, 10 insertions(+), 0 deletions(-) Approvals: Brian Wolff: Looks good to me, approved Umherirrender: Verified; Looks good to me, approved diff --git a/RELEASE-NOTES-1.26 b/RELEASE-NOTES-1.26 index f5f2936..7dd56a7 100644 --- a/RELEASE-NOTES-1.26 +++ b/RELEASE-NOTES-1.26 @@ -1,6 +1,13 @@ Security reminder: If you have PHP's register_globals option set, you must turn it off. MediaWiki will not work with it enabled. +== MediaWiki 1.26.5 == +This is not yet a release! + +=== Changes since 1.26.4 === +* (T68404) CSS3 attr() function with url type is no longer allowed + in inline styles. + == MediaWiki 1.26.4 == This is a maintenance release of the MediaWiki 1.26 branch. diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index de63af7..15ea9b2 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -974,6 +974,7 @@ | url\s*\( | image\s*\( | image-set\s*\( + | attr\s*\([^)]+[\s,]+url !ix', $value ) ) { return '/* insecure input */'; } diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php index d3dc512..3ebf8a2 100644 --- a/tests/phpunit/includes/SanitizerTest.php +++ b/tests/phpunit/includes/SanitizerTest.php @@ -314,6 +314,8 @@ '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ), + array( '/* insecure input */', 'foo: attr( title, url );' ), + array( '/* insecure input */', 'foo: attr( title url );' ), ); } -- To view, visit https://gerrit.wikimedia.org/r/316621 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Icdae989764754c985a9292d62efae7cc47009df5 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_26 Gerrit-Owner: Brian Wolff <bawolff...@gmail.com> Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com> Gerrit-Reviewer: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: Jackmcbarn <jackmcb...@gmail.com> Gerrit-Reviewer: Umherirrender <umherirrender_de...@web.de> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits