Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files bearing the image/svg MIME type. Disabled by default due to the vast majority of web servers being hideously misconfigured. See DefaultSettings.php for more details.

2006-05-05 06:48:29 +00:00 · 2006-05-05 06:48:29 +00:00 · dfdf3c83bc
commit dfdf3c83bc
parent ef4e73ed34
3 changed files with 16 additions and 2 deletions
--- a/3
+++ b/3
@ -204,6 +204,9 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * Rewritten removeUnusedAccounts to be more efficient, print names of inactive
  accounts
 * Redirect Special:Userlist to Special:Listusers
+* Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files
+  bearing the image/svg MIME type. Disabled by default due to the vast majority of
+  web servers being hideously misconfigured. See DefaultSettings.php for more details.

 == Compatibility ==

--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@ -1951,4 +1951,13 @@ $wgAllowDisplayTitle = false ;
 */
 $wgReservedUsernames = array( 'MediaWiki default', 'Conversion script' );

+/**
+ * MediaWiki will reject HTMLesque tags in uploaded files due to idiotic browsers which can't
+ * perform basic stuff like MIME detection and which are vulnerable to further idiots uploading
+ * crap files as images. When this directive is on, <title> will be allowed in files with
+ * an "image/svg" MIME type. You should leave this disabled if your web server is misconfigured
+ * and doesn't send appropriate MIME types for SVG images.
+ */
+$wgAllowTitlesInSVG = false;
+
 ?>
--- a/includes/SpecialUpload.php
+++ b/includes/SpecialUpload.php
@ -845,6 +845,7 @@ class UploadForm {
 	* @return bool true if the file contains something looking like embedded scripts
 	*/
 	function detectScript($file,$mime) {
+		global $wgAllowTitlesInSVG;

 		#ugly hack: for text files, always look at the entire file.
 		#For binarie field, just check the first K.
@ -899,9 +900,10 @@ class UploadForm {
 			'<img',
 			'<pre',
 			'<script', #also in safari
-			'<table',
-			'<title'   #also in safari
+			'<table'
 			);
+		if( $mime != 'image/svg' || !$wgAllowTitlesInSVG )
+			$tags[] = '<title';

 		foreach( $tags as $tag ) {
 			if( false !== strpos( $chunk, $tag ) ) {