Page MenuHomePhabricator
Create Task
Maniphest T60553

Invalid xml accepted by svg upload
Closed, ResolvedPublic
Actions

Assigned To
None
Authored By
csteipp
Dec 16 2013, 9:56 PM
Tags
Referenced Files
F12349: bug58553_122.patch
Nov 22 2014, 2:27 AM
F12347: bug58553_119.patch
Nov 22 2014, 2:27 AM
F12348: bug58553_121.patch
Nov 22 2014, 2:27 AM
F12346: bug58553b-rebase_57550.patch
Nov 22 2014, 2:27 AM
F12345: bug58553b.patch
Nov 22 2014, 2:27 AM
Subscribers
Bawolff
csteipp
Fabrice_Florin
Grunny
MarkTraceur
Tgr
tstarling
wikibugs-l-list

Description

Tim pointed out on bug 57550 that our SVG script checker doesn't check to ensure that the xml parser found the svg to be well formed. The checkSvgScriptCallback isn't called for any part of the svg following invalid xml, so anything that would be caught as a script in checkSvgScriptCallback is skipped.

In testing, it appears that modern versions of FF/Chrome/Opera all stop rendering svg files when they encounter invalid xml.

However, in case any older browsers ignore errors, we should also reject invalid xml for SVG uploads.

Version: unspecified
Severity: normal

Details

Reference
bz58553

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedNoneT60553 Invalid xml accepted by svg upload
 ResolvedNoneT67724 Chunked upload of SVGs triggers INVALIDXML exception, but file is valid

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:26 AM
bzimport added a project: MediaWiki-Uploading.
bzimport set Reference to bz58553.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Dec 16 2013, 9:56 PM
tstarling added a comment.Dec 17 2013, 12:41 AM

The cases where xml_parse() returns false is broader than the strict definition of invalid XML. For example, libxml loads the values of attributes into dynamically allocated memory. With ulimit/cgroup limiting memory usage, the malloc() can return NULL, which leads to xml_parse() returning 0 and giving a PHP warning like:

Warning: xml_parse(): Memory allocation failed : growing buffer in /srv/mw/core/includes/libs/XmlTypeCheck.php on line 124

csteipp added a comment.Dec 17 2013, 12:48 AM

Created attachment 14116
Return error on invalid XML

attachment bug58553.patch ignored as obsolete

csteipp added a comment.Dec 17 2013, 12:49 AM

Hmm.. didn't see your comment until I posted that. Perhaps the error should be "Couldn't parse the XML"?

csteipp added a comment.Dec 17 2013, 9:12 PM

Created attachment 14124
Return error if XML can't be parsed for SVGs

Added the translations to this version. Updated the message per Tim's comment.

Attached:

bug58553b.patch3 KBDownload

tstarling added a comment.Dec 18 2013, 11:57 PM

Looks good.

csteipp added a comment.Dec 19 2013, 9:35 PM

Created attachment 14143
Patch rebased on the patch for bug 57550

Attached:

bug58553b-rebase_57550.patch3 KBDownload

csteipp added a comment.Dec 23 2013, 6:29 PM

This was assigned CVE-2013-6453

Mglaser added a comment.Jan 8 2014, 11:11 PM

Created attachment 14267
Return error if XML can't be parsed for SVGs (1.19 branch)

Attached:

bug58553_119.patch3 KBDownload

Mglaser added a comment.Jan 8 2014, 11:11 PM

Created attachment 14268
Return error if XML can't be parsed for SVGs (1.21 branch)

Attached:

bug58553_121.patch3 KBDownload

Mglaser added a comment.Jan 8 2014, 11:12 PM

Created attachment 14269
Return error if XML can't be parsed for SVGs (1.22 branch)

Attached:

bug58553_122.patch3 KBDownload

Gilles raised the priority of this task from Medium to Unbreak Now!.Dec 4 2014, 10:20 AM
Gilles added a project: Multimedia.
Gilles moved this task from Untriaged to Done on the Multimedia board.
Gilles lowered the priority of this task from Unbreak Now! to Medium.Dec 4 2014, 11:21 AM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL