Thijs/wiki.techinc.nl

Fork 0

Commit graph

Author	SHA1	Message	Date
Brion Vibber	2e83387666	Relax HTML sniffing checks on image upload Allows uploaded files to include some HTML tag strings that were previously forbidden in the first 1k or so of the file: * <a href * <img * <pre * <table * <title They are now allowed as long as the IE MIME type detection heuristic would not change their types. This should reduce the number of false positive checks in JPEGs with EXIF data with links. Also deprecates $wgAllowTitlesInSVG and allows it by default. This should still protect against malformed PNG attacks on old IE versions, though false positive checks are conceivable on PNG files containing comments very close to the beginning of the file. Adds $wgVerifyMimeTypeIE config var to allow disabling the IE checks entirely, if desired, but leaves it in place by default. These are more conservative than the checks that were removed. Added test cases for the old IE5/6 bug and the particular sort of JPEG metadata that struck false positives previously. Bug: T27707 Change-Id: I66642a74fce1a1894cad67d62b0da61020db469a	2019-06-07 14:21:00 -07:00
Bartosz Dziewoński	19d692051f	UploadBase: Permit SVG files with broken namespace definition (Inkscape bug) Inkscape mangles namespace definitions created by Adobe Illustrator (apparently it can't parse custom entities or something, maybe just in 'xmlns' attributes). These files are still valid SVG, and not a security issue (although Illustrator probably won't like them), so it's okay to allow them. Added tests with some example files. * buggynamespace-original.svg File generated by Illustrator (edited by hand to reduce filesize). Based on <https://commons.wikimedia.org/w/?curid=16495597>. * buggynamespace-okay.svg The original file, opened and saved in Inkscape (no other changes). * buggynamespace-okay2.svg The original file, opened and saved in Inkscape twice. * buggynamespace-bad.svg The original file, edited by hand to remove custom entities. This is not valid XML and should be rejected (although it's valid when parsed as HTML, and some image viewers might display it). * buggynamespace-evilhtml.svg An SVG file using an entity declared namespace for a namespace we want to ban. Based on buggynamespace-original.svg. Bug: T144827 Change-Id: I0eb9766cab86a58d729f10033c64f57d2076d917	2016-10-27 10:24:32 +00:00
Bartosz Dziewoński	fd718959b6	Copy various random files used by tests to tests/phpunit/data The tests currently depend on them never being renamed, which is bad. (Actual file data in git is de-duplicated automatically AFAIK.) Change-Id: Id2440326981218f9e7d51541a168db59183fdadf	2014-06-03 22:52:51 +02:00

Author

SHA1

Message

Date

Brion Vibber

2e83387666

Relax HTML sniffing checks on image upload

Allows uploaded files to include some HTML tag strings that were
previously forbidden in the first 1k or so of the file:
* <a href
* <img
* <pre
* <table
* <title

They are now allowed as long as the IE MIME type detection heuristic
would not change their types. This should reduce the number of false
positive checks in JPEGs with EXIF data with links.

Also deprecates $wgAllowTitlesInSVG and allows it by default.

This should still protect against malformed PNG attacks on old IE
versions, though false positive checks are conceivable on PNG files
containing comments very close to the beginning of the file.

Adds $wgVerifyMimeTypeIE config var to allow disabling the IE checks
entirely, if desired, but leaves it in place by default. These are
more conservative than the checks that were removed.

Added test cases for the old IE5/6 bug and the particular sort of
JPEG metadata that struck false positives previously.

Bug: T27707
Change-Id: I66642a74fce1a1894cad67d62b0da61020db469a

2019-06-07 14:21:00 -07:00

Bartosz Dziewoński

19d692051f

UploadBase: Permit SVG files with broken namespace definition (Inkscape bug)

Inkscape mangles namespace definitions created by Adobe Illustrator
(apparently it can't parse custom entities or something, maybe just
in 'xmlns' attributes). These files are still valid SVG, and not
a security issue (although Illustrator probably won't like them),
so it's okay to allow them.

Added tests with some example files.

* buggynamespace-original.svg
  File generated by Illustrator (edited by hand to reduce filesize).
  Based on <https://commons.wikimedia.org/w/?curid=16495597>.

* buggynamespace-okay.svg
  The original file, opened and saved in Inkscape (no other changes).

* buggynamespace-okay2.svg
  The original file, opened and saved in Inkscape twice.

* buggynamespace-bad.svg
  The original file, edited by hand to remove custom entities.
  This is not valid XML and should be rejected (although it's valid
  when parsed as HTML, and some image viewers might display it).

* buggynamespace-evilhtml.svg
  An SVG file using an entity declared namespace for a namespace
  we want to ban. Based on buggynamespace-original.svg.

Bug: T144827
Change-Id: I0eb9766cab86a58d729f10033c64f57d2076d917

2016-10-27 10:24:32 +00:00

Bartosz Dziewoński

fd718959b6

Copy various random files used by tests to tests/phpunit/data

The tests currently depend on them never being renamed, which is bad.
(Actual file data in git is de-duplicated automatically AFAIK.)

Change-Id: Id2440326981218f9e7d51541a168db59183fdadf

2014-06-03 22:52:51 +02:00

3 commits