Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)

CHANGELOG

@@ -18,6 +18,7 @@ RELEASE 1.3.10
 - Fix wrong messages order after returning to a multi-folder search result (#6836)
 - Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
 - Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898)
+- Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
 
 RELEASE 1.3.9
 -------------

program/lib/Roundcube/rcube_utils.php

@@ -388,7 +388,7 @@ class rcube_utils
             return '/* evil! */';
         }
 
-        $strict_url_regexp = '!url\s*\([ "\'](https?:)//[a-z0-9/._+-]+["\' ]\)!Uims';
+        $strict_url_regexp = '!url\s*\(\s*["\']?(https?:)//[a-z0-9/._+-]+["\']?\s*\)!Uims';
 
         // cut out all contents between { and }
         while (($pos = strpos($source, '{', $last_pos)) && ($pos2 = strpos($source, '}', $pos))) {

tests/Framework/Utils.php

@@ -233,6 +233,10 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
         $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");
         $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody', true);
         $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [2]");
+
+        // Allow strict url()
+        $mod = rcube_utils::mod_css_styles("body { background-image: url(http://example.com); }", 'rcmbody', true);
+        $this->assertContains("#rcmbody { background-image: url(http://example.com);", $mod, "Strict URIs in url() allowed with \$allow_remote=true");
     }
 
     function test_xss_entity_decode()