banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' into dev-elastic

Browse Source
pull/6040/head
Aleksander Machniak 7 years ago
parent d7be2f1946 a0374f3c45
commit 910c735b87
6 changed files with 63 additions and 7 deletions
Show Stats Download Patch File Download Diff File

2
CHANGELOG
Unescape Escape View File

@ -52,6 +52,8 @@ CHANGELOG Roundcube Webmail
- Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
- Fix decoding of mailto: links with + character in HTML messages (#6020)
- Fix false reporting of failed upgrade in installto.sh (#6019)
- Fix file disclosure vulnerability caused by insuficient input validation in relation to attachment plugins (#6026)
- Fix mangled non-ASCII characters in links in HTML messages (#6028)
RELEASE 1.3.2
-------------

7
plugins/database_attachments/database_attachments.php
Unescape Escape View File

@ -84,6 +84,8 @@ class database_attachments extends filesystem_attachments
if ($args['data'] === false) {
return $args;
}
$args['path'] = null;
}
$data = base64_encode($args['data']);
@ -130,10 +132,13 @@ class database_attachments extends filesystem_attachments
$cache = $this->get_cache();
$data = $cache->read($args['id']);
if ($data) {
if ($data !== null && $data !== false) {
$args['data'] = base64_decode($data);
$args['status'] = true;
}
else {
$args['status'] = false;
}
return $args;
}

47
plugins/filesystem_attachments/filesystem_attachments.php
Unescape Escape View File

@ -7,12 +7,19 @@
* attachments of messages currently being composed, writing attachments
* to disk when drafts with attachments are re-opened and writing
* attachments to disk for inline display in current html compositions.
* It also handles uploaded files for other uses, so not only attachments.
*
* Developers may wish to extend this class when creating attachment
* handler plugins:
* require_once('plugins/filesystem_attachments/filesystem_attachments.php');
* class myCustom_attachments extends filesystem_attachments
*
* Note for developers: It is plugin's responsibility to care about security.
* So, e.g. if the plugin is asked about some file path it should check
* if it's really the storage path of the plugin and not e.g. /etc/passwd.
* It is done by setting 'status' flag on every plugin hook it uses.
* Roundcube core will trust the returned path if status=true.
*
* @license GNU GPLv3+
* @author Ziba Scott <ziba@umich.edu>
* @author Thomas Bruederli <roundcube@gmail.com>
@ -107,7 +114,7 @@ class filesystem_attachments extends rcube_plugin
*/
function remove($args)
{
$args['status'] = @unlink($args['path']);
$args['status'] = $this->verify_path($args['path']) && @unlink($args['path']);
return $args;
}
@ -118,7 +125,7 @@ class filesystem_attachments extends rcube_plugin
*/
function display($args)
{
$args['status'] = file_exists($args['path']);
$args['status'] = $this->verify_path($args['path']) && file_exists($args['path']);
return $args;
}
@ -129,6 +136,10 @@ class filesystem_attachments extends rcube_plugin
*/
function get($args)
{
if (!$this->verify_path($args['path'])) {
$args['path'] = null;
}
return $args;
}
@ -147,7 +158,7 @@ class filesystem_attachments extends rcube_plugin
}
foreach ((array)$files as $filename) {
if(file_exists($filename)) {
if (file_exists($filename)) {
unlink($filename);
}
}
@ -182,4 +193,34 @@ class filesystem_attachments extends rcube_plugin
}
}
}
/**
* For security we'll always verify the file path stored in session,
* as session entries can be faked in various ways e.g. #6026.
* We allow only files in Roundcube temp dir
*/
protected function verify_path($path)
{
if (empty($path)) {
return false;
}
$rcmail = rcube::get_instance();
$temp_dir = $rcmail->config->get('temp_dir');
$file_path = pathinfo($path, PATHINFO_DIRNAME);
if ($temp_dir !== $file_path) {
rcube::raise_error(array(
'code' => 403,
'file' => __FILE__,
'line' => __LINE__,
'message' => sprintf("%s can't read %s (not in temp_dir)",
$rcmail->get_user_name(), substr($path, 0, 512))
), true, false);
return false;
}
return true;
}
}

5
program/include/rcmail.php
Unescape Escape View File

@ -678,8 +678,9 @@ class rcmail extends rcube
$_SESSION['password'] = $this->encrypt($password);
$_SESSION['login_time'] = time();
if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
$_SESSION['timezone'] = rcube_utils::get_input_value('_timezone', rcube_utils::INPUT_GPC);
$timezone = rcube_utils::get_input_value('_timezone', rcube_utils::INPUT_GPC);
if ($timezone && is_string($timezone) && $timezone != '_default_') {
$_SESSION['timezone'] = $timezone;
}
// fix some old settings according to namespace prefix

5
program/lib/Roundcube/html.php
Unescape Escape View File

@ -349,7 +349,10 @@ class html
public static function parse_attrib_string($str)
{
$attrib = array();
$html = '<html><body><div ' . rtrim($str, '/ ') . ' /></body></html>';
$html = '<html>'
. '<head><meta http-equiv="Content-Type" content="text/html; charset=' . RCUBE_CHARSET . '" /></head>'
. '<body><div ' . rtrim($str, '/ ') . ' /></body>'
. '</html>';
$document = new DOMDocument('1.0', RCUBE_CHARSET);
@$document->loadHTML($html);

4
tests/Framework/Html.php
Unescape Escape View File

@ -117,6 +117,10 @@ class Framework_Html extends PHPUnit_Framework_TestCase
'expression="test == true ? \' test\' : \'\'" ',
array('expression' => 'test == true ? \' test\' : \'\''),
),
array(
'href="http://domain.tld/страница"',
array('href' => 'http://domain.tld/страница'),
),
);
}

Write Preview
Loading…
Cancel
Save