Fix path traversal vulnerability in setting a skin (#1490620)

9 years ago · 21b523c29b
parent 50403d66e0
commit 21b523c29b
2 changed files with 12 additions and 0 deletions
--- a/1
+++ b/1
@ -6,6 +6,7 @@ CHANGELOG Roundcube Webmail
 - Fix charset encoding of message/rfc822 part bodies (#1490606)
 - Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
 - Fix PDF support detection in Firefox > 19 (#1490610)
+- Fix path traversal vulnerability in setting a skin (#1490620)

 RELEASE 1.0.7
 -------------
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@ -153,6 +153,17 @@ class rcmail_output_html extends rcmail_output
     */
    public function set_skin($skin)
    {
+        // Sanity check to prevent from path traversal vulnerability (#1490620)
+        if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+            rcube::raise_error(array(
+                    'file'    => __FILE__,
+                    'line'    => __LINE__,
+                    'message' => 'Invalid skin name'
+                ), true, false);
+
+            return false;
+        }
+
        $valid = false;
        $path  = RCUBE_INSTALL_PATH . 'skins/';