Security: Fix cross-site scripting (XSS) via malicious XML attachment

pull/6724/merge
Aleksander Machniak 5 years ago
parent bda02002de
commit 46d3cae2ff

@ -37,6 +37,7 @@ CHANGELOG Roundcube Webmail
- Security: Fix a couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406)
- Security: Better fix for CVE-2020-12641
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
RELEASE 1.4.4
-------------

@ -655,9 +655,12 @@ $config['identities_level'] = 0;
$config['identity_image_size'] = 64;
// Mimetypes supported by the browser.
// attachments of these types will open in a preview window
// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
$config['client_mimetypes'] = null; # null == default
// Attachments of these types will open in a preview window.
// Either a comma-separated list or an array. Default list includes:
// text/plain,text/html,
// image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
// application/x-javascript,application/pdf,application/x-shockwave-flash
$config['client_mimetypes'] = null;
// Path to a local mime magic database file for PHPs finfo extension.
// Set to null if the default path should be used.

@ -397,7 +397,7 @@ class rcube_config
}
else if ($name == 'client_mimetypes') {
if (!$result && !$def) {
$result = 'text/plain,text/html,text/xml'
$result = 'text/plain,text/html'
. ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
. ',application/x-javascript,application/pdf,application/x-shockwave-flash';
}

@ -1878,6 +1878,11 @@ function rcmail_supported_mimetypes()
unset($mimetypes[$key]);
}
// We cannot securely preview XML files as we do not have a proper parser
if (($key = array_search('text/xml', $mimetypes)) !== false) {
unset($mimetypes[$key]);
}
foreach (array('tiff', 'webp') as $type) {
if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
// can we convert it to jpeg?

@ -77,7 +77,7 @@ if ($uid) {
$OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
$OUTPUT->set_env('has_writeable_addressbook', $_SESSION['writeable_abook']);
$OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
$OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());
$OUTPUT->set_env('mimetypes', $CLIENT_MIMETYPES = rcmail_supported_mimetypes());
if ($MESSAGE->headers->get('list-post', false)) {
$OUTPUT->set_env('list_post', true);
@ -606,7 +606,7 @@ function rcmail_message_full_headers($attrib)
*/
function rcmail_message_body($attrib)
{
global $OUTPUT, $MESSAGE, $RCMAIL, $REMOTE_OBJECTS;
global $OUTPUT, $MESSAGE, $RCMAIL, $REMOTE_OBJECTS, $CLIENT_MIMETYPES;
if (!is_array($MESSAGE->parts) && empty($MESSAGE->body)) {
return '';
@ -717,10 +717,8 @@ function rcmail_message_body($attrib)
// list images after mail body
if ($RCMAIL->config->get('inline_images', true) && !empty($MESSAGE->attachments)) {
$thumbnail_size = $RCMAIL->config->get('image_thumbnail_size', 240);
$client_mimetypes = (array)$RCMAIL->config->get('client_mimetypes');
$show_label = rcube::Q($RCMAIL->gettext('showattachment'));
$download_label = rcube::Q($RCMAIL->gettext('download'));
$show_label = rcube::Q($RCMAIL->gettext('showattachment'));
$download_label = rcube::Q($RCMAIL->gettext('download'));
foreach ($MESSAGE->attachments as $attach_prop) {
// skip inline images
@ -732,7 +730,7 @@ function rcmail_message_body($attrib)
if ($mimetype = rcmail_part_image_type($attach_prop)) {
// display thumbnails
if ($thumbnail_size) {
$supported = in_array($mimetype, $client_mimetypes);
$supported = in_array($mimetype, $CLIENT_MIMETYPES);
$show_link_attr = array(
'href' => $MESSAGE->get_part_url($attach_prop->mime_id, false),
'onclick' => sprintf(

Loading…
Cancel
Save