From 46d3cae2ffa420638709acecf8d5c659da109de0 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 30 May 2020 08:35:33 +0200
Subject: [PATCH] Security: Fix cross-site scripting (XSS) via malicious XML
 attachment

---
 CHANGELOG                              |  1 +
 config/defaults.inc.php                |  9 ++++++---
 program/lib/Roundcube/rcube_config.php |  2 +-
 program/steps/mail/func.inc            |  5 +++++
 program/steps/mail/show.inc            | 12 +++++-------
 5 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index b5dcd6c76..75a043117 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -37,6 +37,7 @@ CHANGELOG Roundcube Webmail
 - Security: Fix a couple of XSS issues in Installer (#7406)
 - Security: Fix XSS issue in template object 'username' (#7406)
 - Security: Better fix for CVE-2020-12641
+- Security: Fix cross-site scripting (XSS) via malicious XML attachment
 
 RELEASE 1.4.4
 -------------
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index 40ccff7ab..35a8257ee 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -655,9 +655,12 @@ $config['identities_level'] = 0;
 $config['identity_image_size'] = 64;
 
 // Mimetypes supported by the browser.
-// attachments of these types will open in a preview window
-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
-$config['client_mimetypes'] = null;  # null == default
+// Attachments of these types will open in a preview window.
+// Either a comma-separated list or an array. Default list includes:
+//     text/plain,text/html,
+//     image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
+//     application/x-javascript,application/pdf,application/x-shockwave-flash
+$config['client_mimetypes'] = null;
 
 // Path to a local mime magic database file for PHPs finfo extension.
 // Set to null if the default path should be used.
diff --git a/program/lib/Roundcube/rcube_config.php b/program/lib/Roundcube/rcube_config.php
index 3d3628368..73651f95f 100644
--- a/program/lib/Roundcube/rcube_config.php
+++ b/program/lib/Roundcube/rcube_config.php
@@ -397,7 +397,7 @@ class rcube_config
         }
         else if ($name == 'client_mimetypes') {
             if (!$result && !$def) {
-                $result = 'text/plain,text/html,text/xml'
+                $result = 'text/plain,text/html'
                     . ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
                     . ',application/x-javascript,application/pdf,application/x-shockwave-flash';
             }
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index d3e1dd751..5e46189b4 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -1878,6 +1878,11 @@ function rcmail_supported_mimetypes()
         unset($mimetypes[$key]);
     }
 
+    // We cannot securely preview XML files as we do not have a proper parser
+    if (($key = array_search('text/xml', $mimetypes)) !== false) {
+        unset($mimetypes[$key]);
+    }
+
     foreach (array('tiff', 'webp') as $type) {
         if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
             // can we convert it to jpeg?
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index 7bc03ed29..a36dce918 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -77,7 +77,7 @@ if ($uid) {
     $OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
     $OUTPUT->set_env('has_writeable_addressbook', $_SESSION['writeable_abook']);
     $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
-    $OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());
+    $OUTPUT->set_env('mimetypes', $CLIENT_MIMETYPES = rcmail_supported_mimetypes());
 
     if ($MESSAGE->headers->get('list-post', false)) {
         $OUTPUT->set_env('list_post', true);
@@ -606,7 +606,7 @@ function rcmail_message_full_headers($attrib)
  */
 function rcmail_message_body($attrib)
 {
-    global $OUTPUT, $MESSAGE, $RCMAIL, $REMOTE_OBJECTS;
+    global $OUTPUT, $MESSAGE, $RCMAIL, $REMOTE_OBJECTS, $CLIENT_MIMETYPES;
 
     if (!is_array($MESSAGE->parts) && empty($MESSAGE->body)) {
         return '';
@@ -717,10 +717,8 @@ function rcmail_message_body($attrib)
     // list images after mail body
     if ($RCMAIL->config->get('inline_images', true) && !empty($MESSAGE->attachments)) {
         $thumbnail_size   = $RCMAIL->config->get('image_thumbnail_size', 240);
-        $client_mimetypes = (array)$RCMAIL->config->get('client_mimetypes');
-
-        $show_label     = rcube::Q($RCMAIL->gettext('showattachment'));
-        $download_label = rcube::Q($RCMAIL->gettext('download'));
+        $show_label       = rcube::Q($RCMAIL->gettext('showattachment'));
+        $download_label   = rcube::Q($RCMAIL->gettext('download'));
 
         foreach ($MESSAGE->attachments as $attach_prop) {
             // skip inline images
@@ -732,7 +730,7 @@ function rcmail_message_body($attrib)
             if ($mimetype = rcmail_part_image_type($attach_prop)) {
                 // display thumbnails
                 if ($thumbnail_size) {
-                    $supported = in_array($mimetype, $client_mimetypes);
+                    $supported = in_array($mimetype, $CLIENT_MIMETYPES);
                     $show_link_attr = array(
                         'href'    => $MESSAGE->get_part_url($attach_prop->mime_id, false),
                         'onclick' => sprintf(