Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)

pull/6908/head
Aleksander Machniak 5 years ago
parent 7bf868767e
commit 057fb69bb9

@ -81,6 +81,7 @@ CHANGELOG Roundcube Webmail
- Fix wrong messages order after returning to a multi-folder search result (#6836) - Fix wrong messages order after returning to a multi-folder search result (#6836)
- Fix some PHP 7.4 compat. issues (#6884, #6866) - Fix some PHP 7.4 compat. issues (#6884, #6866)
- Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898) - Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898)
- Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
RELEASE 1.4-rc1 RELEASE 1.4-rc1
--------------- ---------------

@ -385,7 +385,7 @@ class rcube_utils
return '/* evil! */'; return '/* evil! */';
} }
$strict_url_regexp = '!url\s*\([ "\'](https?:)//[a-z0-9/._+-]+["\' ]\)!Uims'; $strict_url_regexp = '!url\s*\(\s*["\']?(https?:)//[a-z0-9/._+-]+["\']?\s*\)!Uims';
// cut out all contents between { and } // cut out all contents between { and }
while (($pos = strpos($source, '{', $last_pos)) && ($pos2 = strpos($source, '}', $pos))) { while (($pos = strpos($source, '{', $last_pos)) && ($pos2 = strpos($source, '}', $pos))) {

@ -233,6 +233,10 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
$this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]"); $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");
$mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody', true); $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody', true);
$this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [2]"); $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [2]");
// Allow strict url()
$mod = rcube_utils::mod_css_styles("body { background-image: url(http://example.com); }", 'rcmbody', true);
$this->assertContains("#rcmbody { background-image: url(http://example.com);", $mod, "Strict URIs in url() allowed with \$allow_remote=true");
} }
/** /**

Loading…
Cancel
Save