From e7fa8cbdd53c08612f0bda912d3cf8eec8414be6 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Thu, 15 May 2008 05:21:37 +0000 Subject: [PATCH] [2.1.4] [MFH] Add protection against imagecrash attack with CSS height/width from r1684 git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/branches/php4@1719 48356398-32a2-884e-a903-53898d9a118a --- NEWS | 1 + .../AttrDef/CSS/DenyElementDecorator.php | 26 +++++++++++++++++++ library/HTMLPurifier/CSSDefinition.php | 6 +++-- .../Strategy/ValidateAttributesTest.php | 7 +++++ 4 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php diff --git a/NEWS b/NEWS index 627afd1d..5722b534 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,7 @@ ERRATA - HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times on the same element without emitting errors. - Iconv uses set_error_handler instead of shut-up operator +- Add protection against imagecrash attack with CSS height/width 2.1.3, released 2007-11-05 ! tests/multitest.php allows you to test multiple versions by running diff --git a/library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php b/library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php new file mode 100644 index 00000000..b0a6db9d --- /dev/null +++ b/library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php @@ -0,0 +1,26 @@ +def =& $def; + $this->element = $element; + } + /** + * Checks if CurrentToken is set and equal to $this->element + */ + function validate($string, $config, $context) { + $token = $context->get('CurrentToken', true); + if ($token && $token->name == $this->element) return false; + return $this->def->validate($string, $config, $context); + } +} diff --git a/library/HTMLPurifier/CSSDefinition.php b/library/HTMLPurifier/CSSDefinition.php index 2acf7cf8..2fc73b90 100644 --- a/library/HTMLPurifier/CSSDefinition.php +++ b/library/HTMLPurifier/CSSDefinition.php @@ -7,6 +7,7 @@ require_once 'HTMLPurifier/AttrDef/CSS/BackgroundPosition.php'; require_once 'HTMLPurifier/AttrDef/CSS/Border.php'; require_once 'HTMLPurifier/AttrDef/CSS/Color.php'; require_once 'HTMLPurifier/AttrDef/CSS/Composite.php'; +require_once 'HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php'; require_once 'HTMLPurifier/AttrDef/CSS/Font.php'; require_once 'HTMLPurifier/AttrDef/CSS/FontFamily.php'; require_once 'HTMLPurifier/AttrDef/CSS/Length.php'; @@ -176,12 +177,13 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition )); $this->info['width'] = - $this->info['height'] = + $this->info['height'] = + new HTMLPurifier_AttrDef_CSS_DenyElementDecorator( new HTMLPurifier_AttrDef_CSS_Composite(array( new HTMLPurifier_AttrDef_CSS_Length(true), new HTMLPurifier_AttrDef_CSS_Percentage(true), new HTMLPurifier_AttrDef_Enum(array('auto')) - )); + )), 'img'); $this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration(); diff --git a/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php b/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php index 25359425..594011b0 100644 --- a/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php +++ b/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php @@ -180,6 +180,13 @@ class HTMLPurifier_Strategy_ValidateAttributesTest extends ); } + function testRemoveCSSWidthAndHeightOnImg() { + $this->assertResult( + '', + '' + ); + } + }