Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898)

CHANGELOG

@@ -80,6 +80,7 @@ CHANGELOG Roundcube Webmail
 - Fix bug where unread count wasn't updated after moving multi-folder result (#6846)
 - Fix wrong messages order after returning to a multi-folder search result (#6836)
 - Fix some PHP 7.4 compat. issues (#6884, #6866)
+- Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898)
 
 RELEASE 1.4-rc1
 ---------------

program/lib/Roundcube/rcube_utils.php

@@ -396,7 +396,7 @@ class rcube_utils
             $styles = substr($source, $pos+1, $length);
 
             // Convert position:fixed to position:absolute (#5264)
-            $styles = preg_replace('/position:[\s\r\n]*fixed/i', 'position: absolute', $styles);
+            $styles = preg_replace('/position[^a-z]*:[\s\r\n]*fixed/i', 'position: absolute', $styles);
 
             // check every line of a style block...
             if ($allow_remote) {

tests/Framework/Utils.php

@@ -215,13 +215,19 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
         // position: fixed (#5264)
         $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
         $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");
-
         $mod = rcube_utils::mod_css_styles(".test { position:\nfixed; }", 'rcmbody');
         $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (1)");
-
         $mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody');
         $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)");
 
+        // position: fixed (#6898)
+        $mod = rcube_utils::mod_css_styles(".test { position : fixed; top: 0; }", 'rcmbody');
+        $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (3)");
+        $mod = rcube_utils::mod_css_styles(".test { position/**/: fixed; top: 0; }", 'rcmbody');
+        $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (4)");
+        $mod = rcube_utils::mod_css_styles(".test { position\n: fixed; top: 0; }", 'rcmbody');
+        $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (5)");
+
         // allow data URIs with images (#5580)
         $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
         $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");