r14084 - Code Review

From MediaWiki.org

Repository:	MediaWiki
Revision:	< r14083 \| r14084 (on ViewVC) \| r14085 >
Date:	06:48, 5 May 2006
Author:	robchurch
Status:	new
Tags:
Comment:	Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files bearing the image/svg MIME type. Disabled by default due to the vast majority of web servers being hideously misconfigured. See DefaultSettings.php for more details.
Modified paths:	/trunk/phase3/includes/DefaultSettings.php (modified) (diff) /trunk/phase3/includes/SpecialUpload.php (modified) (diff) /trunk/phase3/RELEASE-NOTES (modified) (diff)

Diff [purge]

Index: trunk/phase3/includes/SpecialUpload.php
===================================================================
--- trunk/phase3/includes/SpecialUpload.php	(revision 14083)
+++ trunk/phase3/includes/SpecialUpload.php	(revision 14084)
@@ -845,6 +845,7 @@
 	* @return bool true if the file contains something looking like embedded scripts
 	*/
 	function detectScript($file,$mime) {
+		global $wgAllowTitlesInSVG;
 
 		#ugly hack: for text files, always look at the entire file.
 		#For binarie field, just check the first K.
@@ -899,9 +900,10 @@
 			'<img',
 			'<pre',
 			'<script', #also in safari
-			'<table',
-			'<title'   #also in safari
+			'<table'
 			);
+		if( $mime != 'image/svg' || !$wgAllowTitlesInSVG )
+			$tags[] = '<title';
 
 		foreach( $tags as $tag ) {
 			if( false !== strpos( $chunk, $tag ) ) {
Index: trunk/phase3/includes/DefaultSettings.php
===================================================================
--- trunk/phase3/includes/DefaultSettings.php	(revision 14083)
+++ trunk/phase3/includes/DefaultSettings.php	(revision 14084)
@@ -1951,4 +1951,13 @@
  */
 $wgReservedUsernames = array( 'MediaWiki default', 'Conversion script' );
 
+/**
+ * MediaWiki will reject HTMLesque tags in uploaded files due to idiotic browsers which can't
+ * perform basic stuff like MIME detection and which are vulnerable to further idiots uploading
+ * crap files as images. When this directive is on, <title> will be allowed in files with
+ * an "image/svg" MIME type. You should leave this disabled if your web server is misconfigured
+ * and doesn't send appropriate MIME types for SVG images.
+ */
+$wgAllowTitlesInSVG = false;
+
 ?>
Index: trunk/phase3/RELEASE-NOTES
===================================================================
--- trunk/phase3/RELEASE-NOTES	(revision 14083)
+++ trunk/phase3/RELEASE-NOTES	(revision 14084)
@@ -204,6 +204,9 @@
 * Rewritten removeUnusedAccounts to be more efficient, print names of inactive
   accounts
 * Redirect Special:Userlist to Special:Listusers
+* Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded files
+  bearing the image/svg MIME type. Disabled by default due to the vast majority of
+  web servers being hideously misconfigured. See DefaultSettings.php for more details.
 
 == Compatibility ==

r14084 - Code Review

From MediaWiki.org

Diff [purge]

Views

Personal tools

Site

Search

Support

Download

Development

Communication

Toolbox