r64376 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r64375‎ \| r64376 \| r64377 >
Date:	04:24, 30 March 2010
Author:	tstarling
Status:	deferred
Tags:
Comment:	MFT r64375: CSS injection
Modified paths:	/branches/REL1_16/extensions/InputBox (modified) (history) /branches/REL1_16/extensions/InputBox/InputBox.classes.php (modified) (history)

Diff [purge]

Index: branches/REL1_16/extensions/InputBox/InputBox.classes.php
—	—	@@ -503,7 +503,28 @@
504	504	// Validate the width; make sure it's a valid, positive integer
505	505	$this->mWidth = intval( $this->mWidth <= 0 ? 50 : $this->mWidth );
506	506
	507	+ // Validate background color
	508	+ if ( !$this->isValidColor( $this->mBGColor ) ) {
	509	+ $this->mBGColor = 'transparent';
	510	+ }
507	511	wfProfileOut( __METHOD__ );
508	512	}
509	513
	514	+ /**
	515	+ * Do a security check on the bgcolor parameter
	516	+ */
	517	+ public function isValidColor( $color ) {
	518	+ $regex = <<<REGEX
	519	+ /^ (
	520	+ [a-zA-Z]* \| # color names
	521	+ \# [0-9a-f]{3} \| # short hexadecimal
	522	+ \# [0-9a-f]{6} \| # long hexadecimal
	523	+ rgb \s* \( \s* (
	524	+ \d+ \s* , \s* \d+ \s* , \s* \d+ \| # rgb integer
	525	+ [0-9.]+% \s* , \s* [0-9.]+% \s* , \s* [0-9.]+% # rgb percent
	526	+ ) \s* \)
	527	+ ) $ /xi
	528	+REGEX;
	529	+ return (bool) preg_match( $regex, $color );
	530	+ }
510	531	}
Property changes on: branches/REL1_16/extensions/InputBox
___________________________________________________________________
Name: svn:mergeinfo
511	532	+ /trunk/extensions/InputBox:64375

Revision	Commit summary	Author	Date
r64375	Validate background colour to avoid arbitrary style attribute injection. Lead...	tstarling	03:59, 30 March 2010

15:39, 14 November 2010 Reedy (talk | contribs) changed the status of r64376 [removed: new added: deferred]