From 884eb611627ef2bd5a2e20e02009ebb1eceecdc3 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 30 May 2020 08:35:33 +0200 Subject: [PATCH] Security: Fix cross-site scripting (XSS) via malicious XML attachment --- CHANGELOG | 8 +++++--- config/defaults.inc.php | 9 ++++++--- program/lib/Roundcube/rcube_config.php | 2 +- program/steps/mail/func.inc | 5 +++++ program/steps/mail/show.inc | 2 ++ 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 59840b63d..cd20e44ae 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,11 +1,13 @@ CHANGELOG Roundcube Webmail =========================== +- Security: Fix cross-site scripting (XSS) via malicious XML attachment + RELEASE 1.3.12 -------------- - - Security: Better fix for CVE-2020-12641 - - Security: Fix XSS issue in template object 'username' (#7406) - - Security: Fix couple of XSS issues in Installer (#7406) +- Security: Better fix for CVE-2020-12641 +- Security: Fix XSS issue in template object 'username' (#7406) +- Security: Fix couple of XSS issues in Installer (#7406) RELEASE 1.3.11 -------------- diff --git a/config/defaults.inc.php b/config/defaults.inc.php index bd6937c15..f0c4c174a 100644 --- a/config/defaults.inc.php +++ b/config/defaults.inc.php @@ -589,9 +589,12 @@ $config['identities_level'] = 0; $config['identity_image_size'] = 64; // Mimetypes supported by the browser. -// attachments of these types will open in a preview window -// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf' -$config['client_mimetypes'] = null; # null == default +// Attachments of these types will open in a preview window. +// Either a comma-separated list or an array. Default list includes: +// text/plain,text/html, +// image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp, +// application/x-javascript,application/pdf,application/x-shockwave-flash +$config['client_mimetypes'] = null; // Path to a local mime magic database file for PHPs finfo extension. // Set to null if the default path should be used. diff --git a/program/lib/Roundcube/rcube_config.php b/program/lib/Roundcube/rcube_config.php index 431b512a3..2716fd851 100644 --- a/program/lib/Roundcube/rcube_config.php +++ b/program/lib/Roundcube/rcube_config.php @@ -397,7 +397,7 @@ class rcube_config } else if ($name == 'client_mimetypes') { if (!$result && !$def) { - $result = 'text/plain,text/html,text/xml' + $result = 'text/plain,text/html' . ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp' . ',application/x-javascript,application/pdf,application/x-shockwave-flash'; } diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 1e3944480..ebb288c13 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -2359,6 +2359,11 @@ function rcmail_supported_mimetypes() unset($mimetypes[$key]); } + // We cannot securely preview XML files as we do not have a proper parser + if (($key = array_search('text/xml', $mimetypes)) !== false) { + unset($mimetypes[$key]); + } + foreach (array('tiff', 'webp') as $type) { if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) { // can we convert it to jpeg? diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index 3e099c979..b0251818e 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -72,6 +72,8 @@ if ($uid) { $OUTPUT->set_env('mailbox', $mbox_name); $OUTPUT->set_env('username', $RCMAIL->get_user_name()); $OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name))); + $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter()); + $OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes()); if ($MESSAGE->headers->get('list-post', false)) { $OUTPUT->set_env('list_post', true);