file_get_contents() started supporting a negative offset in 7.1+. But
we really just want to start with 0.
Also fix the order of arguments to assertSame() so that the expected
value is first.
Bug: T182366
Change-Id: I84c92652de5b51a43f6e2b58cd235d2889093453
Clean up use of @codingStandardsIgnore
- @codingStandardsIgnoreFile -> phpcs:ignoreFile
- @codingStandardsIgnoreLine -> phpcs:ignore
- @codingStandardsIgnoreStart -> phpcs:disable
- @codingStandardsIgnoreEnd -> phpcs:enable
For phpcs:disable always the necessary sniffs are provided.
Some start/end pairs are changed to line ignore
Change-Id: I92ef235849bcc349c69e53504e664a155dd162c8
Only allow ENTITY declarations inside the doctype internal
subset. Do not allow parameter entities, recursive entity
references are entity values longer than 255 bytes, or
external entity references. Filter external doctype subset
to only allow the standard svg doctypes.
Recursive entities that are simple aliases are allowed
because people appear to use them on commons. Declaring
xmlns:xlink to have a #FIXED value to the xlink namespace
is allowed because GraphViz apparently does that so its
somewhat common.
This prevents someone bypassing filter by using default
attribute values in internal dtd subset. No browser loads
the external dtd subset that I could find, but whitelist
just to be safe anyways.
Issue reported by Cassiogomes11.
Bug: T151735
Change-Id: I7cb4690f759ad97e70e06e560978b6207d84c446
It's unreasonable to expect newbies to know that "bug 12345" means "Task T14345"
except where it doesn't, so let's just standardise on the real numbers.
Change-Id: I46261416f7603558dceb76ebe695a5cac274e417
Use HTTPS instead of HTTP where the HTTP link is a redirect to the HTTPS link.
Also update some defect links.
Change-Id: Ic3a5eac910d098ed5c2a21e9f47c9b6ee06b2643
Inkscape mangles namespace definitions created by Adobe Illustrator
(apparently it can't parse custom entities or something, maybe just
in 'xmlns' attributes). These files are still valid SVG, and not
a security issue (although Illustrator probably won't like them),
so it's okay to allow them.
Added tests with some example files.
* buggynamespace-original.svg
File generated by Illustrator (edited by hand to reduce filesize).
Based on <https://commons.wikimedia.org/w/?curid=16495597>.
* buggynamespace-okay.svg
The original file, opened and saved in Inkscape (no other changes).
* buggynamespace-okay2.svg
The original file, opened and saved in Inkscape twice.
* buggynamespace-bad.svg
The original file, edited by hand to remove custom entities.
This is not valid XML and should be rejected (although it's valid
when parsed as HTML, and some image viewers might display it).
* buggynamespace-evilhtml.svg
An SVG file using an entity declared namespace for a namespace
we want to ban. Based on buggynamespace-original.svg.
Bug: T144827
Change-Id: I0eb9766cab86a58d729f10033c64f57d2076d917
The check is meant to prevent weird encodings like UTF-7 or HZ.
Encodings like the WINDOWS-125X family which are extensions of ascii
are safe. Additionally people still use windows-1252 on rare occasion.
Bug: T72937
Change-Id: I6cd63274cc04a7fca3afd244b4122ea64042dced
* Add slash and backslash ('/' and '\') to $wgIllegalFileChars.
* Replace illegal chars before removing paths in wfStripIllegalFilenameChars().
This way users trying to upload a file with slashes in the name will
get a better filename suggestion (e.g. for 'Foo part 1/3.jpg', you
previously got '3.jpg', now you'll get 'Foo part 1-3.jpg'). Uploading
tools that don't special-case slashes will also behave better.
Change-Id: Ib78f48a5f8c92e8ab2dc773ea6789b96b3662177
SVG filter incorrectly used the m modifier when checking if an href
attribute started with 'https?://', incorrectly matching attributes
such as, "javascript:alert(' http://foo')".
Bug: T122653
Change-Id: I41291fff344241cad3171f3e8050de99b62a2296
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
XmlTypeCheck's use of xml_parse for filtering SVG's sometimes left xml
entities unexpanded, which can lead to false-negatives when the
callback was used for filtering. Update XmlTypeCheck to use XMLReader
instead, tell the library to fully expand entities, and rely on the
library to error out if it encounters XML that is likely to cause a DoS
if parsed.
Bug: T88310
Change-Id: I77c77a2d6d22f549e7ef969811f7edd77a45dbba
Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got
around our blacklist on embedded href targets. Use a whitelist instead.
Bug: T85850
Change-Id: I17b7ed65935b818695a83fd901fcaf90fffecf28
@import in embedded CSS is case-insensitive, meaning
an attacker can put "@iMpOrT" and it should still
work.
This uses stripos instead of strpos to make the check
case insensitive.
Bug: T85349
Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1
* Use MediaWikiTestCase::getNewTempFile and getNewTempDirectory
instead of wfTempDir().
The upload api tests wrote a tempnam() file directly (where
wfTempDir() is typically shared with other systems and concurrent
runs). Use MediaWikiTestCase::getNewTempFile and
getNewTempDirectory instead.
This also ensures its removal by the teardown handler without
needing manual unlink() calls. And it doesn't rely on the test
passing. (Many unlink calls where at the bottom of tests,
which wouldn't be reached in case of failure).
* For the upload test, the presistent storing of
'Oberaargletscher_from_Oberaar.jpg' (downloaded from Commons)
was removed. Note that this didn't work for Jenkins builds anyway
as Jenkins builds set $wgTmpDirectory to a unique directory
in tmpfs associated with an individual build.
* For filebackend tests, moved directory creation from the dataProvider
to the main test.
Implemented addTmpFiles() to allow subclasses to register
additional files (created by other means) to be cleaned up also.
Removed unused $tmpName and $toPath parameters in data
provider for FileBackendTest::testStore. And fixed weird double
$op2 variable name to be called $op3.
* Skipped parserTest.inc, MockFileBackend.php, and
UploadFromUrlTestSuite.php as those don't use MediaWikiTestCase.
Change-Id: Ic7feb06ef0c1006eb99485470a1a59419f972545
Abstracts the logic for restoration into the built-in teardown()
handler.
Also purify the test configuration by setting wgHooks and
wgFileExtensions to otherwise empty arrays instead of extending
existing ones.
Change-Id: Ied65ee62f658dd650c603a54e72cd19965867a8f
* Filter <style> elements
* Normalize style elements and attributes before filtering
* Add checks for attributes that contain css
* Add unit tests for html5sec and reported bugs
Bug:69008
Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
