Security: Fix cross-site scripting (XSS) via malicious XML attachment

pull/6724/merge
Aleksander Machniak 5 years ago
parent bda02002de
commit 46d3cae2ff

@ -37,6 +37,7 @@ CHANGELOG Roundcube Webmail
- Security: Fix a couple of XSS issues in Installer (#7406) - Security: Fix a couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406) - Security: Fix XSS issue in template object 'username' (#7406)
- Security: Better fix for CVE-2020-12641 - Security: Better fix for CVE-2020-12641
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
RELEASE 1.4.4 RELEASE 1.4.4
------------- -------------

@ -655,9 +655,12 @@ $config['identities_level'] = 0;
$config['identity_image_size'] = 64; $config['identity_image_size'] = 64;
// Mimetypes supported by the browser. // Mimetypes supported by the browser.
// attachments of these types will open in a preview window // Attachments of these types will open in a preview window.
// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf' // Either a comma-separated list or an array. Default list includes:
$config['client_mimetypes'] = null; # null == default // text/plain,text/html,
// image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
// application/x-javascript,application/pdf,application/x-shockwave-flash
$config['client_mimetypes'] = null;
// Path to a local mime magic database file for PHPs finfo extension. // Path to a local mime magic database file for PHPs finfo extension.
// Set to null if the default path should be used. // Set to null if the default path should be used.

@ -397,7 +397,7 @@ class rcube_config
} }
else if ($name == 'client_mimetypes') { else if ($name == 'client_mimetypes') {
if (!$result && !$def) { if (!$result && !$def) {
$result = 'text/plain,text/html,text/xml' $result = 'text/plain,text/html'
. ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp' . ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
. ',application/x-javascript,application/pdf,application/x-shockwave-flash'; . ',application/x-javascript,application/pdf,application/x-shockwave-flash';
} }

@ -1878,6 +1878,11 @@ function rcmail_supported_mimetypes()
unset($mimetypes[$key]); unset($mimetypes[$key]);
} }
// We cannot securely preview XML files as we do not have a proper parser
if (($key = array_search('text/xml', $mimetypes)) !== false) {
unset($mimetypes[$key]);
}
foreach (array('tiff', 'webp') as $type) { foreach (array('tiff', 'webp') as $type) {
if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) { if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
// can we convert it to jpeg? // can we convert it to jpeg?

@ -77,7 +77,7 @@ if ($uid) {
$OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name))); $OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
$OUTPUT->set_env('has_writeable_addressbook', $_SESSION['writeable_abook']); $OUTPUT->set_env('has_writeable_addressbook', $_SESSION['writeable_abook']);
$OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter()); $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
$OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes()); $OUTPUT->set_env('mimetypes', $CLIENT_MIMETYPES = rcmail_supported_mimetypes());
if ($MESSAGE->headers->get('list-post', false)) { if ($MESSAGE->headers->get('list-post', false)) {
$OUTPUT->set_env('list_post', true); $OUTPUT->set_env('list_post', true);
@ -606,7 +606,7 @@ function rcmail_message_full_headers($attrib)
*/ */
function rcmail_message_body($attrib) function rcmail_message_body($attrib)
{ {
global $OUTPUT, $MESSAGE, $RCMAIL, $REMOTE_OBJECTS; global $OUTPUT, $MESSAGE, $RCMAIL, $REMOTE_OBJECTS, $CLIENT_MIMETYPES;
if (!is_array($MESSAGE->parts) && empty($MESSAGE->body)) { if (!is_array($MESSAGE->parts) && empty($MESSAGE->body)) {
return ''; return '';
@ -717,10 +717,8 @@ function rcmail_message_body($attrib)
// list images after mail body // list images after mail body
if ($RCMAIL->config->get('inline_images', true) && !empty($MESSAGE->attachments)) { if ($RCMAIL->config->get('inline_images', true) && !empty($MESSAGE->attachments)) {
$thumbnail_size = $RCMAIL->config->get('image_thumbnail_size', 240); $thumbnail_size = $RCMAIL->config->get('image_thumbnail_size', 240);
$client_mimetypes = (array)$RCMAIL->config->get('client_mimetypes'); $show_label = rcube::Q($RCMAIL->gettext('showattachment'));
$download_label = rcube::Q($RCMAIL->gettext('download'));
$show_label = rcube::Q($RCMAIL->gettext('showattachment'));
$download_label = rcube::Q($RCMAIL->gettext('download'));
foreach ($MESSAGE->attachments as $attach_prop) { foreach ($MESSAGE->attachments as $attach_prop) {
// skip inline images // skip inline images
@ -732,7 +730,7 @@ function rcmail_message_body($attrib)
if ($mimetype = rcmail_part_image_type($attach_prop)) { if ($mimetype = rcmail_part_image_type($attach_prop)) {
// display thumbnails // display thumbnails
if ($thumbnail_size) { if ($thumbnail_size) {
$supported = in_array($mimetype, $client_mimetypes); $supported = in_array($mimetype, $CLIENT_MIMETYPES);
$show_link_attr = array( $show_link_attr = array(
'href' => $MESSAGE->get_part_url($attach_prop->mime_id, false), 'href' => $MESSAGE->get_part_url($attach_prop->mime_id, false),
'onclick' => sprintf( 'onclick' => sprintf(

Loading…
Cancel
Save