Last modified: 2014-05-24 15:45:42 UTC
Tim pointed out on bug 57550 that our SVG script checker doesn't check to ensure that the xml parser found the svg to be well formed. The checkSvgScriptCallback isn't called for any part of the svg following invalid xml, so anything that would be caught as a script in checkSvgScriptCallback is skipped. In testing, it appears that modern versions of FF/Chrome/Opera all stop rendering svg files when they encounter invalid xml. However, in case any older browsers ignore errors, we should also reject invalid xml for SVG uploads.
The cases where xml_parse() returns false is broader than the strict definition of invalid XML. For example, libxml loads the values of attributes into dynamically allocated memory. With ulimit/cgroup limiting memory usage, the malloc() can return NULL, which leads to xml_parse() returning 0 and giving a PHP warning like: Warning: xml_parse(): Memory allocation failed : growing buffer in /srv/mw/core/includes/libs/XmlTypeCheck.php on line 124
Created attachment 14116 [details] Return error on invalid XML
Hmm.. didn't see your comment until I posted that. Perhaps the error should be "Couldn't parse the XML"?
Created attachment 14124 [details] Return error if XML can't be parsed for SVGs Added the translations to this version. Updated the message per Tim's comment.
Looks good.
Created attachment 14143 [details] Patch rebased on the patch for bug 57550
This was assigned CVE-2013-6453
Created attachment 14267 [details] Return error if XML can't be parsed for SVGs (1.19 branch)
Created attachment 14268 [details] Return error if XML can't be parsed for SVGs (1.21 branch)
Created attachment 14269 [details] Return error if XML can't be parsed for SVGs (1.22 branch)
