Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files bearing the image/svg MIME type. Disabled by default due to the vast majority of web servers being hideously misconfigured. See DefaultSettings.php for more details.

Browse source
This commit is contained in:
Rob Church 2006-05-05 06:48:29 +00:00
parent ef4e73ed34
commit dfdf3c83bc
3 changed files with 16 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
RELEASE-NOTES
View file

@ -204,6 +204,9 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
* Rewritten removeUnusedAccounts to be more efficient, print names of inactive * Rewritten removeUnusedAccounts to be more efficient, print names of inactive
accounts accounts
* Redirect Special:Userlist to Special:Listusers * Redirect Special:Userlist to Special:Listusers
* Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files
bearing the image/svg MIME type. Disabled by default due to the vast majority of
web servers being hideously misconfigured. See DefaultSettings.php for more details.
== Compatibility == == Compatibility ==

9
includes/DefaultSettings.php
View file

@ -1951,4 +1951,13 @@ $wgAllowDisplayTitle = false ;
*/ */
$wgReservedUsernames = array( 'MediaWiki default', 'Conversion script' ); $wgReservedUsernames = array( 'MediaWiki default', 'Conversion script' );
/**
* MediaWiki will reject HTMLesque tags in uploaded files due to idiotic browsers which can't
* perform basic stuff like MIME detection and which are vulnerable to further idiots uploading
* crap files as images. When this directive is on, <title> will be allowed in files with
* an "image/svg" MIME type. You should leave this disabled if your web server is misconfigured
* and doesn't send appropriate MIME types for SVG images.
*/
$wgAllowTitlesInSVG = false;
?> ?>

6
includes/SpecialUpload.php
View file

@ -845,6 +845,7 @@ class UploadForm {
* @return bool true if the file contains something looking like embedded scripts * @return bool true if the file contains something looking like embedded scripts
*/ */
function detectScript($file,$mime) { function detectScript($file,$mime) {
global $wgAllowTitlesInSVG;
#ugly hack: for text files, always look at the entire file. #ugly hack: for text files, always look at the entire file.
#For binarie field, just check the first K. #For binarie field, just check the first K.
@ -899,9 +900,10 @@ class UploadForm {
'<img', '<img',
'<pre', '<pre',
'<script', #also in safari '<script', #also in safari
'<table', '<table'
'<title' #also in safari
); );
if( $mime != 'image/svg' || !$wgAllowTitlesInSVG )
$tags[] = '<title';
foreach( $tags as $tag ) { foreach( $tags as $tag ) {
if( false !== strpos( $chunk, $tag ) ) { if( false !== strpos( $chunk, $tag ) ) {