From 972be07a41f98a33a08e014cb0c5cdbfbadbf1ea Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sun, 1 Oct 2017 11:58:11 +0200
Subject: [PATCH] Fix (again) bug where image data URIs in css style were
 treated as evil/remote in mail preview (#5580)

---
 CHANGELOG                             |  1 +
 program/lib/Roundcube/rcube_utils.php | 13 ++++++++++---
 tests/Framework/Utils.php             |  4 +++-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 978a8ef13..9e18dba6e 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@ CHANGELOG Roundcube Webmail
 - Fix wording of "Mark previewed messages as read" to "Mark messages as read" (#5952)
 - Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
 - Fix missing cursor in HTML editor on mail reply (#5969)
+- Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
 
 RELEASE 1.3.1
 -------------
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index cc5244702..3bb244079 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -407,10 +407,17 @@ class rcube_utils
             if ($allow_remote) {
                 $a_styles = preg_split('/;[\r\n]*/', $styles, -1, PREG_SPLIT_NO_EMPTY);
 
-                foreach ($a_styles as $line) {
+                for ($i=0, $len=count($a_styles); $i < $len; $i++) {
+                    $line     = $a_styles[$i];
                     $stripped = preg_replace('/[^a-z\(:;]/i', '', $line);
-                    // ... and only allow strict url() values
-                    if (stripos($stripped, 'url(') && !preg_match($strict_url_regexp, $line)) {
+
+                    // allow data:image uri, join with continuation
+                    if (stripos($stripped, 'url(data:image')) {
+                        $a_styles[$i] .= ';' . $a_styles[$i+1];
+                        unset($a_styles[$i+1]);
+                    }
+                    // allow strict url() values only
+                    else if (stripos($stripped, 'url(') && !preg_match($strict_url_regexp, $line)) {
                         $a_styles = array('/* evil! */');
                         break;
                     }
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index 9b71acef5..2a5c090d9 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -218,7 +218,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
 
         // allow data URIs with images (#5580)
         $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
-        $this->assertEquals("#rcmbody { background-image: url(data:image/png;base64,123); }", $mod, "Data URIs in url() allowed");
+        $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");
+        $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody', true);
+        $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [2]");
     }
 
     function test_xss_entity_decode()