diff options
Diffstat (limited to 'includes')
-rw-r--r-- | includes/DefaultSettings.php | 4 | ||||
-rw-r--r-- | includes/Sanitizer.php | 50 | ||||
-rw-r--r-- | includes/db/DatabaseSqlite.php | 7 |
3 files changed, 46 insertions, 15 deletions
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 136817bf..4ac466c8 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) { } /** MediaWiki version number */ -$wgVersion = '1.15.1'; +$wgVersion = '1.15.2'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; @@ -2561,7 +2561,7 @@ $wgAutoloadClasses = array(); * $wgExtensionCredits[$type][] = array( * 'name' => 'Example extension', * 'version' => 1.9, - * 'svn-revision' => '$LastChangedRevision: 53179 $', + * 'svn-revision' => '$LastChangedRevision: 63438 $', * 'author' => 'Foo Barstein', * 'url' => 'http://wwww.example.com/Example%20Extension/', * 'description' => 'An example extension', diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 5d58b036..0b70e002 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -658,24 +658,48 @@ class Sanitizer { * @return mixed */ static function checkCss( $value ) { - $stripped = Sanitizer::decodeCharReferences( $value ); + $value = Sanitizer::decodeCharReferences( $value ); // Remove any comments; IE gets token splitting wrong - $stripped = StringUtils::delimiterReplace( '/*', '*/', ' ', $stripped ); - - $value = $stripped; - - // ... and continue checks - $stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e', - 'codepointToUtf8(hexdec("$1"))', $stripped ); - $stripped = str_replace( '\\', '', $stripped ); - if( preg_match( '/(?:expression|tps*:\/\/|url\\s*\().*/is', - $stripped ) ) { - # haxx0r + $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); + + // Decode escape sequences and line continuation + // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately. + // IE 8 doesn't implement it at all, but there's no way to introduce url() into + // IE that doesn't hit Mozilla also. + static $decodeRegex; + if ( !$decodeRegex ) { + $space = '[\\x20\\t\\r\\n\\f]'; + $nl = '(?:\\n|\\r\\n|\\r|\\f)'; + $backslash = '\\\\'; + $decodeRegex = "/ $backslash + (?: + ($nl) | # 1. Line continuation + ([0-9A-Fa-f]{1,6})$space? | # 2. character number + (.) # 3. backslash cancelling special meaning + )/xu"; + } + $decoded = preg_replace_callback( $decodeRegex, + array( __CLASS__, 'cssDecodeCallback' ), $value ); + if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) { + // Not allowed return false; + } else { + // Allowed, return CSS with comments stripped + return $value; } + } - return $value; + static function cssDecodeCallback( $matches ) { + if ( $matches[1] !== '' ) { + return ''; + } elseif ( $matches[2] !== '' ) { + return codepointToUtf8( hexdec( $matches[2] ) ); + } elseif ( $matches[3] !== '' ) { + return $matches[3]; + } else { + throw new MWException( __METHOD__.': invalid match' ); + } } /** diff --git a/includes/db/DatabaseSqlite.php b/includes/db/DatabaseSqlite.php index 7a595697..455c0b48 100644 --- a/includes/db/DatabaseSqlite.php +++ b/includes/db/DatabaseSqlite.php @@ -497,6 +497,13 @@ class DatabaseSqlite extends Database { return $s; } + /* + * Build a concatenation list to feed into a SQL query + */ + function buildConcat( $stringList ) { + return '(' . implode( ') || (', $stringList ) . ')'; + } + } // end DatabaseSqlite class /** |