banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix bug in remote content blocking on HTML image and style tags (#6178)

Browse Source
pull/6180/head
Aleksander Machniak 7 years ago
parent f211fcf254
commit 9d2b303b51
4 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File

1
CHANGELOG
Unescape Escape View File

@ -73,6 +73,7 @@ CHANGELOG Roundcube Webmail
- Fix duplicated labels in Test SMTP Config section (#6166) - Fix duplicated labels in Test SMTP Config section (#6166)
- Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169) - Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
- Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149) - Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
- Fix bug in remote content blocking on HTML image and style tags (#6178)
RELEASE 1.3.4 RELEASE 1.3.4
------------- -------------

4
program/lib/Roundcube/rcube_utils.php
Unescape Escape View File

@ -514,11 +514,11 @@ class rcube_utils
*/ */
public static function xss_entity_decode($content) public static function xss_entity_decode($content)
{ {
$callback = function($matches) { return chr(hexdec($matches[1])); }; $callback = function($matches) { return chr(hexdec(trim($matches[1]))); };
$out = html_entity_decode(html_entity_decode($content)); $out = html_entity_decode(html_entity_decode($content));
$out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out))); $out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out)));
$out = preg_replace_callback('/\\\([0-9a-f]{4})/i', $callback, $out); $out = preg_replace_callback('/\\\([0-9a-f]{2,4})\s*/i', $callback, $out);
$out = preg_replace('#/\*.*\*/#Ums', '', $out); $out = preg_replace('#/\*.*\*/#Ums', '', $out);
$out = strip_tags($out); $out = strip_tags($out);

2
program/lib/Roundcube/rcube_washtml.php
Unescape Escape View File

@ -415,7 +415,7 @@ class rcube_washtml
return $attr == 'background' return $attr == 'background'
|| $attr == 'color-profile' // SVG || $attr == 'color-profile' // SVG
|| ($attr == 'poster' && $tag == 'video') || ($attr == 'poster' && $tag == 'video')
|| ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag)) || ($attr == 'src' && preg_match('/^(img|image|source|input|video|audio)$/i', $tag))
|| ($tag == 'image' && $attr == 'href'); // SVG || ($tag == 'image' && $attr == 'href'); // SVG
} }

3
tests/Framework/Utils.php
Unescape Escape View File

@ -206,6 +206,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
$mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert(&#039;xss&#039;) )", 'rcmbody'); $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert(&#039;xss&#039;) )", 'rcmbody');
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)"); $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
$mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody');
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)");
// position: fixed (#5264) // position: fixed (#5264)
$mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody'); $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)"); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");

Write Preview
Loading…
Cancel
Save