diff --git a/CHANGELOG b/CHANGELOG index 8fcbcf62f..dd405eb9f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,6 +5,7 @@ CHANGELOG Roundcube Webmail - Fix random "access to this resource is secured against CSRF" message at logout (#1490641) - Fix missing language name in "Add to Dictionary" request in HTML mode (#1490634) - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#1490640) +- Fix XSS issue in SVG images handling (#1490625) RELEASE 1.1.4 ------------- diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index af5997942..f89e7e06d 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -94,6 +94,11 @@ else if ($_GET['_thumb']) { $mimetype = 'image/' . $imgtype; unlink($orig_name); } + else if (stripos($mimetype, 'image/svg') === 0) { + $content = rcmail_svg_filter(file_get_contents($orig_name)); + file_put_contents($cache_file, $content); + unlink($orig_name); + } else { rename($orig_name, $cache_file); } @@ -331,7 +336,7 @@ else if (strlen($part_id)) { } // convert image to jpeg and send it to the browser - if ($saved) { + if ($sent = $saved) { $image = new rcube_image($file_path); if ($image->convert(rcube_image::TYPE_JPG, $file_path)) { header("Content-Length: " . filesize($file_path)); @@ -340,32 +345,8 @@ else if (strlen($part_id)) { unlink($file_path); } } - // do content filtering to avoid XSS through fake images - else if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) { - if ($body) { - echo preg_match('/<(script|iframe|object)/i', $body) ? '' : $body; - $sent = true; - } - else if ($part->size) { - $stdout = fopen('php://output', 'w'); - stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter'); - stream_filter_append($stdout, 'rcube_content'); - $sent = $MESSAGE->get_part_body($part->mime_id, true, 0, $stdout); - } - } - // send part as-it-is else { - if ($body && empty($plugin['download'])) { - header("Content-Length: " . strlen($body)); - echo $body; - $sent = true; - } - else if ($part->size) { - // Don't be tempted to set Content-Length to $part->d_parameters['size'] (#1490482) - // RFC2183 says "The size parameter indicates an approximate size" - - $sent = $MESSAGE->get_part_body($part->mime_id, false, 0, -1); - } + $sent = rcmail_message_part_output($body, $part, $mimetype, $plugin['download']); } // check connection status @@ -477,3 +458,71 @@ function rcmail_message_part_frame($attrib) return html::iframe($attrib); } + +/** + * Output attachment body with content filtering + */ +function rcmail_message_part_output($body, $part, $mimetype, $download) +{ + global $MESSAGE, $RCMAIL; + + if (!$part->size && !$body) { + return false; + } + + $browser = $RCMAIL->output->browser; + $secure = stripos($mimetype, 'image/') === false || $download; + + // Remove