Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)

release-1.2
Aleksander Machniak 7 years ago
parent ead587ad59
commit 1fd9ad242e

@ -3,6 +3,7 @@ CHANGELOG Roundcube Webmail
- Fix rewind(): stream does not support seeking (#5950)
- Fix bug where HTML messages could have been rendered empty on some systems (#5957)
- Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
RELEASE 1.2.6
-------------

@ -419,10 +419,17 @@ class rcube_utils
if ($allow_remote) {
$a_styles = preg_split('/;[\r\n]*/', $styles, -1, PREG_SPLIT_NO_EMPTY);
foreach ($a_styles as $line) {
for ($i=0, $len=count($a_styles); $i < $len; $i++) {
$line = $a_styles[$i];
$stripped = preg_replace('/[^a-z\(:;]/i', '', $line);
// ... and only allow strict url() values
if (stripos($stripped, 'url(') && !preg_match($strict_url_regexp, $line)) {
// allow data:image uri, join with continuation
if (stripos($stripped, 'url(data:image')) {
$a_styles[$i] .= ';' . $a_styles[$i+1];
unset($a_styles[$i+1]);
}
// allow strict url() values only
else if (stripos($stripped, 'url(') && !preg_match($strict_url_regexp, $line)) {
$a_styles = array('/* evil! */');
break;
}

@ -217,7 +217,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
// allow data URIs with images (#5580)
$mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
$this->assertEquals("#rcmbody { background-image: url(data:image/png;base64,123); }", $mod, "Data URIs in url() allowed");
$this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");
$mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody', true);
$this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [2]");
}
function test_xss_entity_decode()

Loading…
Cancel
Save