Fix bug in remote content blocking on HTML image and style tags (#6178)

release-1.2
Aleksander Machniak 7 years ago
parent 987856eee2
commit 8e7c2f61a3

@ -1,6 +1,8 @@
CHANGELOG Roundcube Webmail CHANGELOG Roundcube Webmail
=========================== ===========================
- Fix security issue in remote content blocking on HTML image and style tags (#6178)
RELEASE 1.2.7 RELEASE 1.2.7
------------- -------------
- Fix rewind(): stream does not support seeking (#5950) - Fix rewind(): stream does not support seeking (#5950)

@ -507,7 +507,7 @@ class rcube_utils
{ {
$out = html_entity_decode(html_entity_decode($content)); $out = html_entity_decode(html_entity_decode($content));
$out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out))); $out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out)));
$out = preg_replace_callback('/\\\([0-9a-f]{4})/i', $out = preg_replace_callback('/\\\([0-9a-f]{2,4})\s*/i',
array(self, 'xss_entity_decode_callback'), $out); array(self, 'xss_entity_decode_callback'), $out);
$out = preg_replace('#/\*.*\*/#Ums', '', $out); $out = preg_replace('#/\*.*\*/#Ums', '', $out);
$out = strip_tags($out); $out = strip_tags($out);

@ -386,7 +386,7 @@ class rcube_washtml
return $attr == 'background' return $attr == 'background'
|| $attr == 'color-profile' // SVG || $attr == 'color-profile' // SVG
|| ($attr == 'poster' && $tag == 'video') || ($attr == 'poster' && $tag == 'video')
|| ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag)) || ($attr == 'src' && preg_match('/^(img|image|source|input|video|audio)$/i', $tag))
|| ($tag == 'image' && $attr == 'href'); // SVG || ($tag == 'image' && $attr == 'href'); // SVG
} }

@ -205,6 +205,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
$mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert(&#039;xss&#039;) )", 'rcmbody'); $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert(&#039;xss&#039;) )", 'rcmbody');
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)"); $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
$mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody');
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)");
// position: fixed (#5264) // position: fixed (#5264)
$mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody'); $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)"); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");

Loading…
Cancel
Save