Security: Fix cross-site scripting (XSS) via malicious XML attachment

CHANGELOG

@@ -37,6 +37,7 @@ CHANGELOG Roundcube Webmail
 - Security: Fix a couple of XSS issues in Installer (#7406)
 - Security: Fix XSS issue in template object 'username' (#7406)
 - Security: Better fix for CVE-2020-12641
+- Security: Fix cross-site scripting (XSS) via malicious XML attachment
 
 RELEASE 1.4.4
 -------------

config/defaults.inc.php

@@ -655,9 +655,12 @@ $config['identities_level'] = 0;
 $config['identity_image_size'] = 64;
 
 // Mimetypes supported by the browser.
-// attachments of these types will open in a preview window
-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
-$config['client_mimetypes'] = null;  # null == default
+// Attachments of these types will open in a preview window.
+// Either a comma-separated list or an array. Default list includes:
+//     text/plain,text/html,
+//     image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
+//     application/x-javascript,application/pdf,application/x-shockwave-flash
+$config['client_mimetypes'] = null;
 
 // Path to a local mime magic database file for PHPs finfo extension.
 // Set to null if the default path should be used.

program/lib/Roundcube/rcube_config.php

@@ -397,7 +397,7 @@ class rcube_config
         }
         else if ($name == 'client_mimetypes') {
             if (!$result && !$def) {
-                $result = 'text/plain,text/html,text/xml'
+                $result = 'text/plain,text/html'
                     . ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
                     . ',application/x-javascript,application/pdf,application/x-shockwave-flash';
             }

program/steps/mail/func.inc

@@ -1878,6 +1878,11 @@ function rcmail_supported_mimetypes()
         unset($mimetypes[$key]);
     }
 
+    // We cannot securely preview XML files as we do not have a proper parser
+    if (($key = array_search('text/xml', $mimetypes)) !== false) {
+        unset($mimetypes[$key]);
+    }
+
     foreach (array('tiff', 'webp') as $type) {
         if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
             // can we convert it to jpeg?

program/steps/mail/show.inc

@@ -77,7 +77,7 @@ if ($uid) {
     $OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
     $OUTPUT->set_env('has_writeable_addressbook', $_SESSION['writeable_abook']);
     $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
-    $OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());
+    $OUTPUT->set_env('mimetypes', $CLIENT_MIMETYPES = rcmail_supported_mimetypes());
 
     if ($MESSAGE->headers->get('list-post', false)) {
         $OUTPUT->set_env('list_post', true);
@@ -606,7 +606,7 @@ function rcmail_message_full_headers($attrib)
  */
 function rcmail_message_body($attrib)
 {
-    global $OUTPUT, $MESSAGE, $RCMAIL, $REMOTE_OBJECTS;
+    global $OUTPUT, $MESSAGE, $RCMAIL, $REMOTE_OBJECTS, $CLIENT_MIMETYPES;
 
     if (!is_array($MESSAGE->parts) && empty($MESSAGE->body)) {
         return '';
@@ -717,10 +717,8 @@ function rcmail_message_body($attrib)
     // list images after mail body
     if ($RCMAIL->config->get('inline_images', true) && !empty($MESSAGE->attachments)) {
         $thumbnail_size   = $RCMAIL->config->get('image_thumbnail_size', 240);
-        $client_mimetypes = (array)$RCMAIL->config->get('client_mimetypes');
-
-        $show_label     = rcube::Q($RCMAIL->gettext('showattachment'));
-        $download_label = rcube::Q($RCMAIL->gettext('download'));
+        $show_label       = rcube::Q($RCMAIL->gettext('showattachment'));
+        $download_label   = rcube::Q($RCMAIL->gettext('download'));
 
         foreach ($MESSAGE->attachments as $attach_prop) {
             // skip inline images
@@ -732,7 +730,7 @@ function rcmail_message_body($attrib)
             if ($mimetype = rcmail_part_image_type($attach_prop)) {
                 // display thumbnails
                 if ($thumbnail_size) {
-                    $supported = in_array($mimetype, $client_mimetypes);
+                    $supported = in_array($mimetype, $CLIENT_MIMETYPES);
                     $show_link_attr = array(
                         'href'    => $MESSAGE->get_part_url($attach_prop->mime_id, false),
                         'onclick' => sprintf(