Andre Klapper <> changed:

           What    |Removed                     |Added
           Priority|Unprioritized               |Normal
            Summary|Vector Skin Not Displaying  |Vector Skin Not Displaying:
                   |                            |file_exists() doesn't
                   |                            |filter for "data:" URLs?

--- Comment #2 from Andre Klapper <> ---
MW 1.22.2 PHP 5.4.1 MySQL 5.5.24

Ciencia Al Poder commented on the Support Desk thread:
 This seems to be a bug.
 It's looking for file_exists() based on the match of URL_REGEX, which only
 takes into account all url() values in CSS, but it doesn't filter for data:
 URL, which is unnecessarily feeding file_exists() for data: URLs that aren't
 going to be found on the server.
 In fact, I don't see any further validation on those paths, so I don't know
 if a malicious CSS file can expose any file accessible from PHP.

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to