r66992 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r66991‎ | r66992 | r66993 >
Date:07:08, 28 May 2010
Author:tstarling
Status:deferred
Tags:
Comment:
MFT r66990 (CSS escape sequence normalisation), and updates for release of 1.15.4.
Modified paths:
  • /branches/REL1_15/phase3/RELEASE-NOTES (modified) (history)
  • /branches/REL1_15/phase3/includes/DefaultSettings.php (modified) (history)
  • /branches/REL1_15/phase3/includes/Sanitizer.php (modified) (history)
  • /branches/REL1_15/phase3/includes/specials (modified) (history)
  • /branches/REL1_15/phase3/includes/templates (modified) (history)

Diff [purge]

Index: branches/REL1_15/phase3/includes/Sanitizer.php
@@ -607,10 +607,6 @@
608608 # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
609609 if( $attribute == 'style' ) {
610610 $value = Sanitizer::checkCss( $value );
611 - if( $value === false ) {
612 - # haxx0r
613 - continue;
614 - }
615611 }
616612
617613 if ( $attribute === 'id' ) {
@@ -664,10 +660,8 @@
665661 $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
666662
667663 // Decode escape sequences and line continuation
668 - // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately.
669 - // IE 8 doesn't implement it at all, but there's no way to introduce url() into
670 - // IE that doesn't hit Mozilla also.
671 - static $decodeRegex;
 664+ // See the grammar in the CSS 2 spec, appendix D.
 665+ static $decodeRegex, $reencodeTable;
672666 if ( !$decodeRegex ) {
673667 $space = '[\\x20\\t\\r\\n\\f]';
674668 $nl = '(?:\\n|\\r\\n|\\r|\\f)';
@@ -676,30 +670,41 @@
677671 (?:
678672 ($nl) | # 1. Line continuation
679673 ([0-9A-Fa-f]{1,6})$space? | # 2. character number
680 - (.) # 3. backslash cancelling special meaning
 674+ (.) | # 3. backslash cancelling special meaning
 675+ () | # 4. backslash at end of string
681676 )/xu";
682677 }
683 - $decoded = preg_replace_callback( $decodeRegex,
 678+ $value = preg_replace_callback( $decodeRegex,
684679 array( __CLASS__, 'cssDecodeCallback' ), $value );
685 - if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) {
686 - // Not allowed
687 - return false;
688 - } else {
689 - // Allowed, return CSS with comments stripped
690 - return $value;
 680+
 681+ // Reject problematic keywords and control characters
 682+ if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
 683+ return '/* invalid control char */';
 684+ } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
 685+ return '/* insecure input */';
691686 }
 687+ return $value;
692688 }
693689
694690 static function cssDecodeCallback( $matches ) {
695691 if ( $matches[1] !== '' ) {
 692+ // Line continuation
696693 return '';
697694 } elseif ( $matches[2] !== '' ) {
698 - return codepointToUtf8( hexdec( $matches[2] ) );
 695+ $char = codepointToUtf8( hexdec( $matches[2] ) );
699696 } elseif ( $matches[3] !== '' ) {
700 - return $matches[3];
 697+ $char = $matches[3];
701698 } else {
702 - throw new MWException( __METHOD__.': invalid match' );
 699+ $char = '\\';
703700 }
 701+ if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) {
 702+ // These characters need to be escaped in strings
 703+ // Clean up the escape sequence to avoid parsing errors by clients
 704+ return '\\' . dechex( ord( $char ) ) . ' ';
 705+ } else {
 706+ // Decode unnecessary escape
 707+ return $char;
 708+ }
704709 }
705710
706711 /**
Property changes on: branches/REL1_15/phase3/includes/Sanitizer.php
___________________________________________________________________
Added: svn:mergeinfo
707712 Merged /trunk/phase3/includes/Sanitizer.php:r48836,48886,48892,48989,48992,49002,49051,49068,49086,49191-49192,49212,49682,49685,49730,49775,49954,49956,49999,50041,50054,50070,50132,50134,50169,50215,50218,50328,50470,50580,51587,54828,66990
708713 Merged /trunk/phase3/includes/specials/Sanitizer.php:r48993
Index: branches/REL1_15/phase3/includes/DefaultSettings.php
@@ -33,7 +33,7 @@
3434 }
3535
3636 /** MediaWiki version number */
37 -$wgVersion = '1.15.3';
 37+$wgVersion = '1.15.4';
3838
3939 /** Name of the site. It must be changed in LocalSettings.php */
4040 $wgSitename = 'MediaWiki';
Property changes on: branches/REL1_15/phase3/includes/specials
___________________________________________________________________
Modified: svn:mergeinfo
4141 Merged /trunk/phase3/includes/specials:r65760
Property changes on: branches/REL1_15/phase3/includes/templates
___________________________________________________________________
Added: svn:mergeinfo
4242 Merged /trunk/phase3/includes/templates:r48836,48886,48892,48989,48992,49002,49051,49068,49086,49191-49192,49212,49682,49685,49730,49775,49954,49956,49999,50041,50054,50070,50132,50134,50169,50215,50218,50328,50470,50580,51587,54828,65760
4343 Merged /trunk/phase3/includes/specials/templates:r48993
Index: branches/REL1_15/phase3/RELEASE-NOTES
@@ -5,6 +5,8 @@
66
77 == MediaWiki 1.15.4 ==
88
 9+2010-05-28
 10+
911 This is a security and maintenance release.
1012
1113 MediaWiki is now using a "continuous integration" development model with
@@ -21,6 +23,10 @@
2224 == Changes since 1.15.3 ==
2325
2426 * (bug 23534) Fixed SQL query error in API list=allusers.
 27+* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create
 28+ account" and "create by e-mail" features of [[Special:Userlogin]]
 29+* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS
 30+ validation issue.
2531
2632 === Changes since 1.15.2 ===
2733

Follow-up revisions

RevisionCommit summaryAuthorDate
r69955MFT r67101. Fix parserTests broken r66992platonides18:38, 26 July 2010

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r66990Normalise CSS escape sequences.tstarling05:02, 28 May 2010

Status & tagging log