Last modified: 2014-09-17 12:00:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T69044, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 67044 - Scripted SVG checks blacklist all filter attributes, even if local to current svg doc


Summary:	Scripted SVG checks blacklist all filter attributes, even if local to current...

Status:	PATCH_TO_REVIEW

Product:	MediaWiki
Classification:	Unclassified
Component:	Uploading (Other open bugs)
Version:	1.24rc
Hardware:	All All

Importance:	Low normal (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-06-24 18:52 UTC by PRO
Modified:	2014-09-17 12:00 UTC (History)
CC List:	9 users (show)

See Also:	70937
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Get an script/html warning on upload (81.98 KB, image/svg+xml) 2014-06-24 18:52 UTC, PRO	Details
SVG with filters removed (81.72 KB, image/svg+xml) 2014-07-28 14:14 UTC, Fæ	Details
Add an attachment (proposed patch, testcase, etc.)

Description PRO 2014-06-24 18:52:19 UTC

Created attachment 15716 [details]
Get an script/html warning on upload

I got an ERROR unspecific warning: "This file contains HTML or script code that may be erroneously interpreted by a web browser."
After some testing I found the cause.

Here the same fixed file: [[File:Topographic map of Cape Verde-de.svg]] the difference is only the SVG filter attribute presentation which seems only accepted in a style attribute.

Comment 1 Andre Klapper 2014-07-21 11:21:21 UTC

> I got an ERROR unspecific warning: "This file contains HTML or script
>  code that may be erroneously interpreted by a web browser."

Where and how is this displayed? Is this about Special:Upload ?

Comment 2 PRO 2014-07-23 11:17:26 UTC

Yes, it is displayed on upload.

Comment 3 Andre Klapper 2014-07-23 13:45:31 UTC

Sorry but the last comment is ambiguous - do you refer to the time or the place? Is this on Commons? Special:Upload or UploadWizard or both?

Comment 4 PRO 2014-07-26 13:44:37 UTC

Sorry I did not think that one has to be so specific. Yes it is on Commons, but that should not matter? And yes it's both, so this does not matter (the Wizard msg is a bit different)? I think there are some attributes left in the SVG restriction upload-"filter", here the SVG attribute "filter" himself (on line 147 in the attachment).

Comment 5 PRO 2014-07-26 13:46:32 UTC

Can you simply upload the file?? (test on simply [[c:File:Test.svg]])

Comment 6 Andre Klapper 2014-07-26 15:43:28 UTC

If it's on both, then it's relevant to mention that it's on both. 
Thanks for testing it. :)

Comment 7 Fæ 2014-07-28 14:14:20 UTC

Created attachment 16060 [details]
SVG with filters removed

This is identical to the original SVG file apart with filters removed. Tested at https://commons.wikimedia.org/w/index.php?title=File:Test.svg&oldid=130044706

Comment 8 PRO 2014-07-28 20:00:06 UTC

(In reply to Fæ from comment #7)
> Created attachment 16060 [details]
> SVG with filters removed
> 
> This is identical to the original SVG file apart with filters removed.
> Tested at
> https://commons.wikimedia.org/w/index.php?title=File:Test.svg&oldid=130044706

What is the new information?

Comment 9 Fæ 2014-07-28 20:05:13 UTC

(In reply to PRO from comment #8)
> (In reply to Fæ from comment #7)
> > Created attachment 16060 [details]
> > SVG with filters removed
> > 
> > This is identical to the original SVG file apart with filters removed.
> > Tested at
> > https://commons.wikimedia.org/w/index.php?title=File:Test.svg&oldid=130044706
> 
> What is the new information?

No new information, only that filter effects embedded in SVG files appear to be what cause the rejection on upload to Commons. Removing them from the file source eliminates the problem. See http://www.w3.org/TR/SVG/filters.html

Comment 10 Bawolff (Brian Wolff) 2014-07-28 20:29:48 UTC

Just for reference, I know where the html script error is displayed. Its an upload warning that happens during the upload process. (internally, the uploadscripted message)

Comment 11 Bawolff (Brian Wolff) 2014-07-28 20:42:23 UTC

So, this limitation was intentional. To quote our code:

                        # image filters can pull in url, which could be svg that executes scripts
                        if ( $strippedElement == 'image'
                                && $stripped == 'filter'
                                && preg_match( '!url\s*\(!sim', $value )
                        ) {
                                wfDebug( __METHOD__ . ": Found image filter with url: "
                                        . "\"<$strippedElement $stripped='$value'...\" in uploaded file.\n" );

                                return true;
                        }

However the main intent of this block seems to be to prevent external filters, not filters from the same file.

CSteipp: Would it be ok to relax the filter restriction so it only blacklists external urls, but is ok for things like filter: url( #foo ); and filter: url( '#bar' ); ? This would be similar to how we handle style attributes.

Comment 12 Bawolff (Brian Wolff) 2014-07-28 20:49:48 UTC

> 
> However the main intent of this block seems to be to prevent external
> filters, not filters from the same file.
> 
> CSteipp: Would it be ok to relax the filter restriction so it only
> blacklists external urls, but is ok for things like filter: url( #foo ); and
> filter: url( '#bar' ); ? This would be similar to how we handle style
> attributes.

Important note I should mention here, is that (based on my reading of the code) we already disallow (externally linking) xlink:href attributes on <filter> elements, so allowing filter="url( '#foo' )" attributes wouldn't be able to get to an external document simply by referencing a <filter> element with xlink:href attribute pointing to another document.

Comment 13 PRO 2014-07-28 21:02:52 UTC

(In reply to Fæ from comment #9)
It seems you overlooked the opening post. But thanks to made more attention to this bug.

(In reply to Fæ from comment #11)
So you can simply fix it? Because the exactly same filter in a style worked!? Or it means that the filter restriction is/was not thorough enough to style="filter:..."? Thank you.

Comment 14 Bawolff (Brian Wolff) 2014-07-28 21:08:16 UTC

(In reply to PRO from comment #13)
> (In reply to Fæ from comment #9)
> It seems you overlooked the opening post. But thanks to made more attention
> to this bug.
> 
> (In reply to Fæ from comment #11)
> So you can simply fix it? Because the exactly same filter in a style
> worked!? Or it means that the filter restriction is/was not thorough enough
> to style="filter:..."? Thank you.

Yes. style="filter: url( #filtera )" is currently allowed (Which is even better reasoning to relax the restrictions on filter= attribute.

Comment 15 Gerrit Notification Bot 2014-07-28 21:41:00 UTC

Change 150048 had a related patch set uploaded by Brian Wolff:
[DO NOT MERGE] Relax filter attribute filtering to allow self-referential urls

https://gerrit.wikimedia.org/r/150048

Note You need to log in before you can comment on or make changes to this bug.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links