r66990 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r66989‎ \| r66990 \| r66991 >
Date:	05:02, 28 May 2010
Author:	tstarling
Status:	ok (Comments)
Tags:
Comment:	Normalise CSS escape sequences.
Modified paths:	/trunk/phase3/includes/Sanitizer.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/Sanitizer.php
—	—	@@ -650,10 +650,6 @@
651	651	# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
652	652	if( $attribute == 'style' ) {
653	653	$value = Sanitizer::checkCss( $value );
654		~~- if( $value === false ) {~~
655		~~- # haxx0r~~
656		~~- continue;~~
657		~~- }~~
658	654	}
659	655
660	656	if ( $attribute === 'id' ) {
—	—	@@ -750,10 +746,8 @@
751	747	$value = StringUtils::delimiterReplace( '/', '/', ' ', $value );
752	748
753	749	// Decode escape sequences and line continuation
754		~~- // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately.~~
755		~~- // IE 8 doesn't implement it at all, but there's no way to introduce url() into~~
756		~~- // IE that doesn't hit Mozilla also.~~
757		~~- static $decodeRegex;~~
	750	+ // See the grammar in the CSS 2 spec, appendix D.
	751	+ static $decodeRegex, $reencodeTable;
758	752	if ( !$decodeRegex ) {
759	753	$space = '[\\x20\\t\\r\\n\\f]';
760	754	$nl = '(?:\\n\|\\r\\n\|\\r\|\\f)';
—	—	@@ -762,30 +756,41 @@
763	757	(?:
764	758	($nl) \| # 1. Line continuation
765	759	([0-9A-Fa-f]{1,6})$space? \| # 2. character number
766		~~- (.) # 3. backslash cancelling special meaning~~
	760	+ (.) \| # 3. backslash cancelling special meaning
	761	+ () \| # 4. backslash at end of string
767	762	)/xu";
768	763	}
769		~~- $decoded = preg_replace_callback( $decodeRegex,~~
	764	+ $value = preg_replace_callback( $decodeRegex,
770	765	array( __CLASS__, 'cssDecodeCallback' ), $value );
771		~~- if ( preg_match( '!expression\|https?://\|url\s*\(!i', $decoded ) ) {~~
772		~~- // Not allowed~~
773		~~- return false;~~
774		~~- } else {~~
775		~~- // Allowed, return CSS with comments stripped~~
776		~~- return $value;~~
	766	+
	767	+ // Reject problematic keywords and control characters
	768	+ if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
	769	+ return '/* invalid control char */';
	770	+ } elseif ( preg_match( '! expression \| filter\s: \| accelerator\s: \| url\s*\( !ix', $value ) ) {
	771	+ return '/* insecure input */';
777	772	}
	773	+ return $value;
778	774	}
779	775
780	776	static function cssDecodeCallback( $matches ) {
781	777	if ( $matches[1] !== '' ) {
	778	+ // Line continuation
782	779	return '';
783	780	} elseif ( $matches[2] !== '' ) {
784		~~- return codepointToUtf8( hexdec( $matches[2] ) );~~
	781	+ $char = codepointToUtf8( hexdec( $matches[2] ) );
785	782	} elseif ( $matches[3] !== '' ) {
786		~~- return $matches[3];~~
	783	+ $char = $matches[3];
787	784	} else {
788		~~- throw new MWException( __METHOD__.': invalid match' );~~
	785	+ $char = '\\';
789	786	}
	787	+ if ( $char == "\n" \|\| $char == '"' \|\| $char == "'" \|\| $char == '\\' ) {
	788	+ // These characters need to be escaped in strings
	789	+ // Clean up the escape sequence to avoid parsing errors by clients
	790	+ return '\\' . dechex( ord( $char ) ) . ' ';
	791	+ } else {
	792	+ // Decode unnecessary escape
	793	+ return $char;
	794	+ }
790	795	}
791	796
792	797	/**

Follow-up revisions

Revision	Commit summary	Author	Date
r66992	MFT r66990 (CSS escape sequence normalisation), and updates for release of 1....	tstarling	07:08, 28 May 2010
r66993	MFT r66990 (CSS escape sequence normalisation), and updates for release of 1....	tstarling	07:09, 28 May 2010
r66994	MFT r66990: CSS escape sequence normalisation	tstarling	07:10, 28 May 2010
r67101	Follow up r66990. Fix parser tests.	platonides	18:59, 30 May 2010
r67630	MFT r67101 fixing in branch parser tests broken in r66990....	platonides	16:06, 8 June 2010

Comments

#Comment by OverlordQ (talk | contribs) 17:38, 30 May 2010

Parser tests need updated.

9 previously passing test(s) now FAILING! :(

<pre> with forbidden attribute values (bug 3202) [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]
Bug 2304: HTML attribute safety (dangerous style template; 2309) [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]
Bug 2304: HTML attribute safety (unsafe parameter; 2309) [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]
Bug 3244: HTML attribute safety (extension; unsafe) [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]
MSIE CSS safety test: spurious slash [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]
MSIE CSS safety test: hex code [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]
Table attribute safety [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]
CSS line continuation 1 [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]
CSS line continuation 2 [Introduced between 30-May-2010 17:30:20, 1.17alpha (r66989) and 30-May-2010 17:30:56, 1.17alpha (r66990)]

#Comment by CMBJ (talk | contribs) 21:14, 1 June 2010

r66990 appears to have made transparency [filter: alpha(opacity=70);] impossible on some browsers.

#Comment by Tim Starling (talk | contribs) 00:13, 2 June 2010

The filter property is insecure and can lead to complete compromise of the client computer, see http://seclists.org/bugtraq/2010/May/228

#Comment by CMBJ (talk | contribs) 09:43, 2 June 2010

Could we not specifically restrict 'ICMFilter' instead?

#Comment by Tim Starling (talk | contribs) 12:59, 2 June 2010

No. AlphaImageLoader is also a security vulnerability, it allows users to load arbitrary URLs without requiring the blacklisted url() markup. The potential for similar security vulnerabilities is unlimited. IE extensions may define their own filter objects, MSDN provides complete documentation and tutorials explaining how to do this. And Microsoft may add new filters in future versions of IE which open up new security vulnerabilities.

We would have to parse it and whitelist certain "known-good" filters instead, which would be challenging since the format of the filter property appears to be undocumented, and is subject to change. I'd rather spend my time working on better standards-compliance.

CSS 3 has an opacity property which does what you want to do, you should use that instead. It works on all browsers except one.

#Comment by Tim Starling (talk | contribs) 06:12, 11 June 2010

Marking new since the parser tests were fixed in r67101.

#Comment by Hashar (talk | contribs) 18:25, 15 November 2010

There was no activity on this CR revision and it got merge to trunk. Could we assume it as "ok" ?

#Comment by Happy-melon (talk | contribs) 15:32, 15 December 2010

It's been running on WMF for six months; if there were a regression obvious enough to spot in CR, someone would have seen it by now.

Status & tagging log

15:32, 15 December 2010 Happy-melon (talk | contribs) changed the status of r66990 [removed: new added: ok]
06:12, 11 June 2010 Tim Starling (talk | contribs) changed the status of r66990 [removed: fixme added: new]
17:38, 30 May 2010 OverlordQ (talk | contribs) changed the status of r66990 [removed: new added: fixme]