From 1608f432826a41e035ee7ddb0dd409bbcf559b43 Mon Sep 17 00:00:00 2001 From: thomascube Date: Wed, 24 Dec 2008 14:19:27 +0000 Subject: [PATCH] Secure bin scripts by requiring a valid session and replace preg_replace(/../e) with preg_replace_callback --- bin/html2text.php | 16 ++++++++++++---- bin/modcss.php | 10 +++++++--- bin/quotaimg.php | 12 +++++++++--- program/include/main.inc | 22 +++++++++++++++------- 4 files changed, 43 insertions(+), 17 deletions(-) diff --git a/bin/html2text.php b/bin/html2text.php index 3839f5d34..82a4044f8 100644 --- a/bin/html2text.php +++ b/bin/html2text.php @@ -20,11 +20,19 @@ */ define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/'); -require INSTALL_PATH.'program/include/iniset.php'; +require INSTALL_PATH . 'program/include/iniset.php'; -$converter = new html2text($HTTP_RAW_POST_DATA); +$RCMAIL = rcmail::get_instance(); -header('Content-Type: text/plain; charset=UTF-8'); -print trim($converter->get_text()); +if (!empty($RCMAIL->user->ID)) { + $converter = new html2text($HTTP_RAW_POST_DATA); + + header('Content-Type: text/plain; charset=UTF-8'); + print trim($converter->get_text()); +} +else { + header("HTTP/1.0 403 Forbidden"); + echo "Requires a valid user session"; +} ?> diff --git a/bin/modcss.php b/bin/modcss.php index 08da36707..d0a3cc934 100644 --- a/bin/modcss.php +++ b/bin/modcss.php @@ -20,10 +20,12 @@ */ define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/'); -require INSTALL_PATH.'program/include/iniset.php'; +require INSTALL_PATH . 'program/include/iniset.php'; + +$RCMAIL = rcmail::get_instance(); $source = ""; -if ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u'])) +if (!empty($RCMAIL->user->ID) && ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u']))) { $a_uri = parse_url($url); $port = $a_uri['port'] ? $a_uri['port'] : 80; @@ -59,7 +61,9 @@ if (!empty($source)) header("Content-Type: text/css"); echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']), $url); } -else +else { header("HTTP/1.0 404 Not Found"); + echo "Requires a valid user session and source url"; +} ?> diff --git a/bin/quotaimg.php b/bin/quotaimg.php index dfec24150..a15c4c372 100644 --- a/bin/quotaimg.php +++ b/bin/quotaimg.php @@ -18,6 +18,11 @@ */ +define('INSTALL_PATH', realpath(dirname(__FILE__).'/..') . '/'); +require INSTALL_PATH . 'program/include/iniset.php'; + +$RCMAIL = rcmail::get_instance(); + $used = isset($_GET['u']) ? intval($_GET['u']) : '??'; $quota = isset($_GET['q']) ? intval($_GET['q']) : '??'; $width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w'])); @@ -186,11 +191,12 @@ function genQuota($used, $total, $width, $height) imagedestroy($im); } -if ($width > 1 && $height > 1) { - genQuota($used, $quota, $width, $height); +if (!empty($RCMAIL->user->ID) && $width > 1 && $height > 1) { + genQuota($used, $quota, $width, $height); } else { - header("HTTP/1.0 404 Not Found"); + header("HTTP/1.0 403 Forbidden"); + echo "Requires a valid user session and positive values"; } exit; diff --git a/program/include/main.inc b/program/include/main.inc index 7cf739282..114e48819 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -612,18 +612,26 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '') array( '/(^\s*\s*$)/', '/(^\s*|,\s*|\}\s*)([a-z0-9\._#][a-z0-9\.\-_]*)/im', - '/@import\s+(url\()?[\'"]?([^\)\'"]+)[\'"]?(\))?/ime', - '/<>/e', - "/$container_id\s+body/i" + "/$container_id\s+body/i", ), array( '', "\\1#$container_id \\2", - "sprintf(\"@import url('./bin/modcss.php?u=%s&c=%s')\", urlencode(make_absolute_url('\\2','$base_url')), urlencode($container_id))", - "\$a_css_values[\\1]", - "$container_id div.rcmBody" + "$container_id div.rcmBody", ), $source); + + // replace all @import statements to modify the imported CSS sources too + $styles = preg_replace_callback( + '/@import\s+(url\()?[\'"]?([^\)\'"]+)[\'"]?(\))?/im', + create_function('$matches', "return sprintf(\"@import url('./bin/modcss.php?u=%s&c=%s')\", urlencode(make_absolute_url(\$matches[2],'$base_url')), urlencode('$container_id'));"), + $styles); + + // put block contents back in + $styles = preg_replace_callback( + '/<>/', + create_function('$matches', "\$values = ".var_export($a_css_values, true)."; return \$values[\$matches[1]];"), + $styles); return $styles; } @@ -639,7 +647,7 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '') function rcmail_xss_entitiy_decode($content) { $out = html_entity_decode(html_entity_decode($content)); - $out = preg_replace('/\\\([0-9a-f]{4})/ie', "chr(hexdec('\\1'))", $out); + $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', create_function('$matches', 'return chr(hexdec($matches[1]));'), $out); $out = preg_replace('#/\*.*\*/#Um', '', $out); return $out; }